You can't avoid them hitting your server unless your hosting company has optional blocking at another level. I've found the overhead is minimal from all this once all the blocking techniques are use, though I have had the equivalent of two DDOS attacks due to so many bots, Yandex and other stuff hitting me all at once. When that happened my server company used their security system to install a big list of IP numbers blocked in my root .htaccess. Took a few hours but it worked. After a year or so I deleted the block list as it was slowing down server response time by a few tenths of a second. Basically, this is what WordFence does, only they have a huge IP list they're able to keep current through their crowd sourcing.
Another thing I do is quite a bit of country IP blocking in an .htaccess file that's in my wp_admin folder. This doesn't affect site speed for visitors, but blocks zillons of bad guys at the server access level so they just get an error.
Turkey, Russian Federation, Brazil and Ukraine are good ones to block in .htaccess. I sometimes block China as well, but doing so results in thousands of lines added .htaccess and it gets a bit ridiculous.
BEYOND ALL THAT my understanding is that the best way to deal with these issues is to pay for top-end robust hosting that can handle data storms from bots/hackers, then just harden Wordpress without blocking anyone, and do good backups. Much less time involved, site runs faster, and you don't end up with false positives blocking legit readers. This gets expensive real quick.