Stopping a WordPress XMLRPC.php Attack

Question

I am experiencing an XMLRPC Brute Force attack on my website that has been going for about 28 hours now. Every few seconds, 188.0.236.9 tries to plug a user-pass combination into my XMLRPC.php file. I conducted a whois on the ip, which didn't help much. The phone number listed was invalid (yes, I was stupid enough to call).

Anyway, I've blocked the IP itself (it is a single IP) as well as the entire IP range, with WordFence. I don't have access to my .htaccess file right now; I'm not at home.

Is my website adequately protected, or is this person's attack still capable of doing anything? He's still sending requests as we speak, and though I've blocked him, I can't tell if he's still getting through.

Forgive me; I'm still relatively new to all this. If my site is not adequately protected, what more can I do without access to my .htaccess file?

Answer 1

// Disable XML-RPC using hook in wordpress.

/*To disable XML-RPC methods that require authentication, use:*/

add_filter('xmlrpc_enabled', '__return_false');

For more granular control over all XML-RPC methods and requests, see the ‘xmlrpc_methods’ and ‘xmlrpc_element_limit’ hooks.