Recently noobs been going around attacking sites with xml-rpc. I know most hotels uses CloudFlare "I'm under attack" mode to stop the attack. That worked but it'll also slow down your site such as users/furnitures not loaded every few minutes because of the 5secs CloudFlare check. I'm wondering if theres any other way to stop the attack? I've tried IIS module Dynamic IP Restriction and using web.config to block the wordpress useragent but don't seem to work.
http://prntscr.com/4wbkrh
http://prntscr.com/4wbkrh