The WordPress xmlrpc.php endpoint can be misused as en endpoint for brute force attacks. 

If you do not use xmlrpc.php for any integrations, you might as well disable it completely. Adding these lines to your .htaccess file will disallow access to the enpoint for everyone.

Edit your public/.htaccess file and add

<Files xmlrpc.php>
  Require all denied

Note that xmlrpc is required by some plugins, like Jetpack.

Did this answer your question?