Defender not really helping against Brute Force Attacks

Hi,

I have Defender on all my sites and the settings are very tight as you can see here:
https://screencast.com/t/4ZutUp9uMum
https://screencast.com/t/kcTKh1u6Gg6
https://screencast.com/t/EbldtGyqUFG8

I also have xmlrpc.php requests blocked:
https://screencast.com/t/g03NL3wG

But my sites and server still get taken down:

Hello Justin,

I have blocked an IP address 142.54.161.10 which was attempting to brute force login to the following sites

702 learn-reiki-online.com
631 reiki-belgie.be
1011 reiki-leren.nl
355 reiki-southwest.uk
608 _wildcard_.reiki-cursus.nl
498 _wildcard_.reiki.earth
949 _wildcard_.reiki-southwest.uk
512 _wildcard_.yourreikipractice.com

The server load has now dropped from 14 to 1 and the sites are now online and responsive and the alert has cleared. As
with all Wordpress sites, I would recommend protecting the wp-login.php pages as described in the following document:
https://codex.wordpress.org/Brute_Force_Attacks. In particular, the section on limiting access via an .htaccess file to
certain IPs may be useful. Please let us know if you need any more information.

Kind Regards,

Tim

Do you recommend another plugin next to Defender or in the place of defender?

Thanks,
Justin