As I've posted in other threads, I usually resort to using .htaccess to only allow access to wp-login.php from a few trusted IP addresses.
As for the xmlrpc.php attack, that's not a login attempt. It's more of a DDoS. Lots of hits from Google on the issue. For this you can:
1) If you need trackbacks and ping backs enabled, then check your access logs for the UserAgent hitting xmlrpc. It's probably not a mainstream (or even valid) user agent you can block via Wordfence's Advanced Blocking feature.
2) If you don't need trackback and ping, use .htaccess to deny access to xmlrpc.