Hi @randomuser101, thanks for reaching out.
You could try out the setting to disable XML-RPC authentication by checking the “Disable XML-RPC authentication” box in Wordfence > Login Security > Settings to prevent authentication attempts being POSTed through that file. This may help go a long way towards what you’d like to achieve.
However, manual attempts to access the XML-RPC file itself are commonly tried by attackers. As a blocking scheme to allow pingbacks would be IP-based but the origins would effectively be random, as you never know in advance who’ll link to your posts, there may be no bulletproof way of blocking malicious origins but allowing “anybody else” in.
If you did want to add a total blanket block, you could also add the following code to your .htaccess file if you are certain no plugins you use (such as Jetpack or the WordPress app) require access:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Thanks,
Peter.
