xmlrpc.com is a WordPress file that was intended to be used for API’s but lately it’s more and more used as a way for hackers to brute-force WordPress installations.
To block access to xmlrpc.php on a single WordPress installation add the following code to your .htaccess file:
<Files xmlrpc.php> order deny,allow deny from all allow from 127.0.0.1 </Files>
And in WHM to block access to xmlrpc.php file for all websites hosted on cPanel, add the following to WHM > Service Configuration > Apache Configuration > Include Editor
<IfModule mod_alias.c> RedirectMatch 301 /xmlrpc.php http://127.0.0.1/ </IfModule>
All request to xmprpc.php file across all cPanel account will be blocked.