On a blog network I ran for a few years, I spent a lot of time hardening my xmlrpc. I started by adding a required parameter to every call, and if that parameter didn't exist, it would redirect you to a static HTML page. When that was eventually DDoS-ed (all the sites are on the same giant server), I added the location /xmlrpc.php to the nginx server config that blocked it for anyone not coming through my proxy server.
WordPress 4.7, due in a couple of weeks, includes a brand new REST API which means we can finally start removing some uses of XML-RPC and maybe even someday disable it.
One of the major issues with XML-RPC functionality in WP is that it's enabled by default and opens up a wide target for brute force attacks[1]. I'm assuming this will not change with their REST API. Let's face it, how many WP sites out there really need POST/PUT/DELETE endpoints to be enabled for their family blog?
My first two things I do when I install a new wordpress server is add this to `.htaccess` :
Otherwise you will have a very easy DDoS vector that can bring your website down, immediately after some bot finds out this file exists on your host.