Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php

I am running more than 500 WordPress website in my shared server, Frequently I am getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php files. Due to that our server load is getting more than 100.

Is there is any way to avoid the spamming request to this respective file.

Currently I am blocking those file in .htaccess, Apart of from this I need any alternative solution.