How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?

With a whitelist, you typically deny all first, then allow. Then just keep adding Allow entries as needed. Try this:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
Allow from 122.248.245.244/32
Allow from 54.217.201.243/32
Allow from 54.232.116.4/32
Allow from 192.0.80.0/20
Allow from 192.0.96.0/20
Allow from 192.0.112.0/20
Allow from 195.234.108.0/22
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</Files>

Note: Those last few IPs from the list in your question are covered by the preceding CIDR range, 192.0.96.0/20, so I omitted them.

You can get up-to-date details on the specific IP addresses to whitelist for various Jetpack services here: https://jetpack.com/support/hosting-faq/.

Personally I use fail2ban. That method has the advantage of preventing sketchy IPs from making any further type of requests to your server, either permanently or for a period of time according your settings. You might just need to review your fail2ban settings and reconfigure them to be tighter. It could possibly be related to this issue.

It’s also worth noting that Automattic offers free support for all Jetpack users. (Full disclosure: I work there. 🙂)

Related Posts:

  1. Can I disable xml-rpc by setting it to false?
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. I found this in a plugin. What does it do? is it dangerous?
  5. Disabled plugins are they security holes – rumor or reality?
  6. What could a hacker do with my wp-config.php
  7. How to run Jetpack from localhost? [closed]
  8. Why “Contact Form 7” doesn’t update PHPmailer library?
  9. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  10. What does a security risk in a plugin look like?
  11. X-Pingback and XMLRPC
  12. WordPress Capabilities: edit_user vs edit_users
  13. Should we use plugins that aren’t available from the official WordPress site?
  14. Jetpack plugin (ShareDaddy): Prevent share buttons showing on custom post types?
  15. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  16. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  17. Disabled plugins are security holes – rumor or reality?
  18. Should I use RIPS tool to test my themes and plugins?
  19. Prevent Brute Force Attack
  20. How many security plugins are too many? [closed]
  21. Will WordPress username displayed somewhere in the site?
  22. Upgrading WordPress 4.0 asks for FTP password
  23. How Restrict access to admin dashboard by specific static ip?
  24. When is it useful to use wp_verify_nonce
  25. Protecting against malicious code in WordPress plugin updates
  26. How to limit WordPress pages during updates?
  27. rms_unique_wp_mu_pl_fl_nm.php
  28. Weird problems after recovery from security breach
  29. How can we deal with unmaintained plugins with vulnerabilities?
  30. Security issues with WP sites
  31. Security checking in meta_box save is reluctant?
  32. Escape when echoed
  33. Preventing BFA in WordPress without using a plugin
  34. How to activate plugins for my WordPress sites from a remote server
  35. How can I make uploaded images in the editor load with HTTPS?
  36. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  37. The safest way to automate WordPress backups
  38. wp_create_nonce function doesn’t work inside a plugin?
  39. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  40. Headers Content-Security-Policy CSP Major Issue
  41. Nonce failing on form submission
  42. How to block XML-RPC attack?
  43. Why can’t I access my Intranet LDAPS with NADI?
  44. Hack-Proof OR Security in WordPress — is it real?
  45. Redirect to another page using contact form 7? [closed]
  46. I should enable automatic updates?
  47. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  48. Is Timthumb still broken? What security measures should be taken?
  49. Prevent direct access to WordPress plugin assets?
  50. Specific way to allow WordPress users to view their current password? And edit it?
  51. Is it possible to remove subscription box from Jetpack stats page? [closed]
  52. Cropping images from top center using Jetpack Photon
  53. Too many login attempts
  54. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  55. How to prevent plugins from sniffing/stealing other plugins’ options?
  56. Website show Google Ads when we have no Google Ads linked to our website
  57. Custom API plugin to execute 3rd party API to retrieve data
  58. How to deal with Slow HTTP POST (slowloris) vulnerability
  59. Running multiple security plugins
  60. how do I secure my WP website from hackers? [closed]
  61. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  62. Webservice credential storage [duplicate]
  63. Regarding plugin security
  64. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  65. Is this plugin safe to run?
  66. Facebook and Twitter share buttons not working [closed]
  67. Why may one avoid Jetpack plugin? [closed]
  68. Jetpack: Subscribe via e-mail [closed]
  69. Is the Block Bad Queries Plugin Still Relevant?
  70. WP Insert Post If user refreshes override new post
  71. Hide plugins and theme from public
  72. WordPress search shows protected content
  73. Security of a WordPress Plugin
  74. Show views count for pop up post
  75. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  76. Avoid duplicate posts with xml rpc
  77. prevent anonymous access to WordPress site (non-admin site)
  78. Bing/msn bots is heavily requesting random of my website
  79. “Fire Secure” menu item
  80. Securing a plugin pop-up window
  81. https rewrite not working for All in one security Brute force > rename login url
  82. How can I disable Jetpack plugin on mobile?
  83. Fetching WP.me shortlinks for posts using WP Rest API
  84. How do plugin updates work?
  85. How can i see/log all requests coming from a registration form (not from the UI)?
  86. Write mysql credentials in plugin
  87. Site is continuously accessing by several IPs
  88. Modifying WordPress XML-RPC Built-Ins
  89. using .htaccess only for wordpress security no plugins
  90. SWF in wordpress post
  91. Unwanted Links and Spam WordPress Pages and Posts
  92. File permissions for wp-minify plugin
  93. I’ve installed Jetpack but can’t edit the CSS to my blog?
  94. What is the recommended way to be notified of security updates to my plugins? [closed]
  95. Questions about using Disqus or Jetpack for comments [closed]
  96. How I can hide my wp folders from Inspect Element (Developer Tools)
  97. How to Find WordPress site has backdoor login Codes
  98. How to delete Password Protected posts cookies when a user logged out from the site
  99. How to rename files during upload to a random string?
  100. Stop the user if login from the cookies