other ways to disable/block before getting to WordPress:
if using apache, can block in htaccess:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
with nginx, rules:
location = /xmlrpc.php {
deny all;
}
cloudlfare:
include in your block ruleset:
(http.request.uri.path contains “/xmlrpc.php”) or