It would be great if there was a customisable global rule that you could use across all websites in your account that stopped the DDOS and Wordpress security flaws.
Requests such as:
xmlrpc.php
wp-trackback.php
wlwmanifest.xml
Which are almost never used, but WP insist on including in every single update
And there are ample ways to disable any WordPress features you don’t need… but the WordPress support forums would be the best place to discuss such: https://wordpress.org/support/forums/