Recently there have been more XML RPC attacks that are sophisticated ways to brute force get your password without using the wp-login or registration form. You can read all about it at Succuri’s Blog here.
How does it work
Basically they use the system.multicall to put hundreds of username password attacks in one HTTP request thanks to the built-in XML RPC access for external blogging using a editor elsewhere or loading of external data. This is a huge deal and I am looking into all sites I work with to decide what I can do to eradicate this type of attacks.
Fully Block / Disable XML RPC
To solve this problem you can either add a full block using a plugin to disable xml rpc or add this code to .haccess.
deny from all
Do understand that if you have any plugin like Jetpack depending on XML RPC they will cease to function properly so tread carefully!
Functions.php XML RPC Method Filter
A more subtle method is adding this PHP code to your child theme’s functions file:
Still some of the plugins you use might depend on some of these methods. So good to get in touch with the plugin authors to find out.
If the site in question is already running WordFence you do not have to worry about XML RPC Attacks. As long as the plugin is active and the login filter is on all will be blocked even with the free version. See the full story on this on their blog here.
To check if XML RPC is working you can check out this website .