XMLRPC

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism and its functionality is turned on by default since WordPress 3.5.
XML-RPC is an API - this API gives developers and services the ability to talk to a wordpress site

Examples where XML-RPC functionality is needed:
XML-RPC functionality is primarily used for three common reasons:

  1. Pingbacks/trackbacks (great for Viagra spam, DDoS attacks, and not much else)
  2. Jetpack (an all-in-one solution to slowing down and/or bloating your WordPress site with third-party scripts)
  3. WP mobile apps

More information on XML-RPC API for wordpress can be found: https://codex.wordpress.org/XML-RPC_WordPress_API

What is an xmlrpc attack?

xml-rpc can use system.multicall - this can be used to execute multiple methods inside a single request. This allows applications to pass multiple commands with one http request.
This means that potential bots and hackers can use the system.multicall method to guess 100's or 1000's of passwords with a single http request
Hackers can attempt thousands of password attempts with just a 3-4 http request. These requests bypass security tools designed to block brute force attempts. These requests will have 1 entry per request in the log file.
NOTE: Your systems load average may increase significantly during one of these attacks. It may be a little hard to initially diagnose the issue as apache is NOT hitting max clients. Remember to investigate the access logs and see if there are lots of POST requests to XMLRPC.php!


NOTE: WordPress, Drupal and most content management systems support XML-RPC.
It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages.

Checking apache and nginx logs for xmlrpc

 awk '/xmlrpc.php/ {REQ[$1" "$6" "$7]++}END{for (i in REQ) print REQ[i],i}' /var/log/httpd/*access*log | sort -n | tail -25

Basic configuration:
To prevent xmlrpc attacks add the following to a .htaccess
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>
If you have application or plugins or you are a hosting reseller then you will want to add something similar to the code below. This code allows the wordpress IP range (current IP range, this could change) and denies potential attacks:

Apache .htaccess:

<Files "xmlrpc.php">
Order Deny,Allow
Deny from all
Allow from 192.0.64.0/18
Satisfy All
ErrorDocument 403 http://127.0.0.1/
</files>

Nginx
Deny all through nginx
         location = /xmlrpc.php {
            deny all;
            access_log off; #to prevent from filling up the access log file
            error_log off; #to prevent from filling up the error log file
        }


Allowing Wordpress IPs
         location = /xmlrpc.php {
            allow 192.0.64.0/18;
            deny all;
            access_log off; #to prevent from filling up the access log file
            error_log off; #to prevent from filling up the error log file
        }

JetPack

This wordpress plugin does come with xmlrcp.php protection from brute force.
Note: This is SITE specific and will note cover system wide wordpress sites.
Jet pack: https://wordpress.org/plugins/jetpack/


Wordfence

##CURRENTLY INVESTIGATING ##
I believe it costs around $5 a month
This can also be used to block an attempted attack on XMLRPC


References:
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/
http://wptavern.com/its-time-for-xml-rpc-in-wordpress-to-hit-the-road
https://www.saotn.org/huge-increase-wordpress-xmlrpc-php-post-requests/ - READ