Well it took a while, but I figured out what was happening here, and the upshot is: no good deed goes unpunished.
- When setting up my server, I enabled IPv6 because I want to be a good internet citizen and help our collective migration to IPv6
- I chose easyengine to manage my WP sites, which uses nicely isolated docker containers for each web site
- Easyengine sets up an nginx reverse proxy container that passes off all requests to the appropriate site/container
- The problem with the reverse proxy setup is that if the originating request is from an IPv6 address, the proxy will change that address to a local IPv4 IP before passing it along to the container website.
What this means is that any wordpress hacker sending commands, bad login attempts, what have you from an IPv6 address will not be blocked by any security software (such as wordfence) because it sees a LOCAL IP AND THEREFORE WILL NOT BLOCK IT
And enabling IPv6 support on the ee docker containers is far from straightforward, I have not been able to do it yet. So for now anyway I have disabled IPv6 on the server to stop these attacks. I will come back here with more info when/if I find a simple(ish) way to enable IPv6 reverse proxy on docker containers running on easyengine.
I should note here that as a test, I set up a small server using a single apache site and no proxy and everything read and worked as expected with IPv6 addressing and blocking. But I have to manage several sites and I really like easyengine’s management tools and docker isolation (in theory), so that was why I made that choice. Hope all this helps someone else.