Disable all WordPress XML-RPC calls to add protection against brute force attacks exploiting it.
XML-RPC attacks are one of the most common types of attacks on WordPress. These attacks are committed by automated botnets with the goal of either breaking into your website or to DDOS your website by using up too much server resources. If the attackers do manage to take over your website then they can potentially use it as part of the botnet to distribute malware, spam, and to DDOS attack other websites. Security experts recommend to block all access to xmlrpc.php when possible by disabling it or deleting it.
Simply activate XML-RPC Disable and your protected!
Note: If you are using JetPack or other plugins that require XML-RPC and can’t block the file, it is recommended to use a WAF such as Cloudflare and block any requests methods that require authentication that you are not using. Commonly exploited authentication requests include: system.multicall, wp.getCategories, wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost.