other ways to disable/block before getting to WordPress:

if using apache, can block in htaccess:
# Block WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

with nginx, rules:
location = /xmlrpc.php {
deny all;
}

cloudlfare:
include in your block ruleset:
(http.request.uri.path contains “/xmlrpc.php”) or