XML-RPC for WordPress was designed to enable remote connections between your site and external applications. WHY SHOULD I DISABLE XML-RPC? There are security risks associated with leaving XML-RPC enabled. These can include: Brute Force Attacks and DDoS Attack
There are two ways.
1. Custom code in function.php
add_filter('xmlrpc_enabled', '__return_false');
add_filter('wp_headers', 'removeXPingback');
add_filter('pings_open', '__return_false', 9999);
function removeXPingback($headers) {
unset($headers['X-Pingback'], $headers['x-pingback']);
return $headers;
}
2. .htaccess
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
You can replace xxx.xxx.xxx.xxx with an IP address you wish to give access to xmlrpc.php. If you wish to remove access completely, you can simply remove this line.