There's some basic information here you can try:
1st things first: protect your wordpress install against brute force at the very basic level:
Brute Force Attacks « WordPress Codex
2nd, unless you use it, just delete xmlrpc.php OR, restrict access to it (see point #1 above to see how to restrict access to specific files)
3rd, have your sysadmin add a tool such as fail2ban which will count failed access and just block them in a "jail" inside your server's linux firewall. And auto expire them. It will require some tweaking, but it's really effective.
4th, you can visit the Blocklist site below and download the IP lists of the reported bad ip's in a specific timeframe. These are IP's that were flagged and banned from various fail2ban installations and including everything from brute force wordpress attempts to bruteforce ssh attempts.
http://www.blocklist.de/en/export.html
There's certainly other options, but the above should give you a good starting point, and certainly should be something your sysadmin can implement for you. If not, get a new host.