On a blog network I ran for a few years, I spent a lot of time hardening my xmlrpc. I started by adding a required parameter to every call, and if that parameter didn't exist, it would redirect you to a static HTML page. When that was eventually DDoS-ed (all the sites are on the same giant server), I added the location /xmlrpc.php to the nginx server config that blocked it for anyone not coming through my proxy server.