Disable XML-RPC in WordPress
WordPress XML-RPC can be used to try several thousands passwords in a short time – great for hackers using brute force attacks. To avoid this, you can disable XML-RPC by adding this line of code to your WordPress installation:
add_filter( 'xmlrpc_enabled', '__return_false' );
This line does not disable XML-RPC completly – but it disables all XML-RPC calls that require user authentication. In that way, XML-RPC cannot be used for password validation.
Another way is to disable the xmlrpc.php at webserver level by adding this to your .htaccess:
# Block xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
In that way, WordPress does not have to handle the requests, because they are blocked at webserver level.