XML-RPC is a remote procedure call protocol. As the name implies, it uses XML (Extensible Markup Language) to encode the calls that are made via HTTP.
In WordPress, XML-RPC support is enabled by default and is used to allow users to post blog posts via Weblog Clients. Read more about the WordPress XML-RPC feature on the codex page. The file used by WordPress is xmlrpc.php, file located at the root of the installation.
During a WordPress XML-RPC attack, the attacker will try to log into the installation via brute-force – by using lists or random usernames and passwords. The attacker will generate a lot of requests to xmlrpc.php, requests that can easily increase the server load. Many times, a huge number of IPs is used (from already compromised websites/PCs) to launch such attacks, so blocking IPs will not be a viable solution.
As an end-user, there are two ways to block access to xmlrpc.php file. You can search for a plugin https://wordpress.org/plugins/tags/xmlrpc/ or you can simply block access by a rule to the .htaccess file.
Steps to block XML-RPC attacks with .htaccess:
1. Log into your web hosting account cPanel/DirectAdmin/Plesk or to your FTP account
2. Edit the WordPress .htaccess file. Add the following lines at the top:
<Files "xmlrpc.php">
Require all denied
</Files>
Now, any request to the xmlrpc.php file, regardless of the host IP, will be blocked. A 403 HTTP message will be returned by the server
Forbidden
You don't have permission to access this resource.
To test if the block is working, just access https://yourdomain.com/xmlrpc.php
If you have a VPS or a dedicated server with many websites, you can block XML-RPC access by adding the above code to the /home/.htaccess file.
Resources:
Wikipedia XML-RPC
WordPress XML-RPC codex
Apache access control directives