Some other sites are seeing the same. We do have a feature request in our system to block XMLRPC login attempts, which will likely be included in a future release.
If you don’t use XMLRPC for the WordPress app (or other blog software), and don’t use pingbacks, you can disable XMLRPC completely, if you would like. I’ve used this plugin before — it hasn’t had an update since February, but it’s literally one line of actual code and works correctly in WP 4.3:
https://ww.wp.xz.cn/plugins/disable-xml-rpc/
If you don’t use XMLRPC for the WordPress app (or other blog software), and don’t use pingbacks, you can disable XMLRPC completely, if you would like.
I do not claim to understand much of this, but here is some related code I have found:
// from http://www.deluxeblogtips.com/2013/08/disable-xml-rpc-wordpress.html
// Disable XML-RPC and remove header link, including Pingback
// This will prevent these files from being linked at the header,
// but the files themselves will remain available on your server.
// Be sure remote publishing is disabled if you implement this method.
// You can still receive pingbacks and trackbacks with remote-access
// disabled since the file will still be available on your server.
add_filter( 'xmlrpc_enabled', '__return_false' );
// Hide xmlrpc.php in HTTP response headers
add_filter( 'wp_headers', 'yourprefix_remove_x_pingback' );
function yourprefix_remove_x_pingback( $headers )
{ unset( $headers['X-Pingback'] ); return $headers; }
// Remove xmlrpc.php and wlwmanifest.xml header links
function removeHeadLinks() {
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link'); }
add_action('init', 'removeHeadLinks');
