The xmlrpc.php file of my WordPress blog recently got hit by a single bot some 5000 times over a half hour period recently. I temporarily disabled all visitors and then limited it to just blocking the specific IP via Apache conf (htaccess).
I don’t believe it succeeded in breaking into my site, but I would guess it slowed down my server quite a bit during that period. The IP belonged to Digital Ocean, presumably a droplet. Don’t know if it was purchased for nefarious purposes, or hacked. It didn’t seem to have a web server running on it.
As far as I know, the only legitimate users of XML-RPC on my server are Jetpack and the extremely rare pingback. I blocked it with an Apache mod_rewrite rule like:
RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.89$
RewriteRule ^/?blog/xmlrpc\.php index.php [END]
That would show a 404 not found page since the route wouldn’t be found. The bot had already stopped, but this ensured it wouldn’t be able to come back.
It could also have been done like:
<FilesMatch "^(xmlrpc\.php)">
Order Allow,Deny
Allow from all
Deny from 123.45.67.89
</FilesMatch>
which would show a 403 forbidden page.