While the above solution is sufficient for many, it can still be resource intensive for sites that are getting attacked.

In those cases, you may want to disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.

Simply paste the following code in your .htaccess file:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>