A really useful post by NixIntel on stopping XMLRPC calls to your WordPress site totally, using Fail2Ban.
https://nixintel.info/linux/protecting-wordpress-from-xmlrpc-attacks/
The post tells you how to disable xmlrpc.php on Apache using .htaccess.
If you’re running WordPress on Nginx rather than Apache then you can disable xmlrpc in your site’s nginx.conf file by inserting the following in your server block…
# Block xmlrpc.php
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}