Learning that WordPress XML-RPC can be abused for DoS attacks, I changed the Nginx configuration to disable XML-RPC.

/etc/nginx/conf.d/codenote.com.conf

server {
    # deny xmlrpc
    location = /xmlrpc.php {
        deny all;
    }

When XML-RPC is disabled, the following logs are output to Nginx’s error.log:

2015/07/12 21:49:31 [error] 11605#0: *815037 access forbidden by rule, client: 123.123.123.123, 
server: codenote.net, request: "POST /xmlrpc.php HTTP/1.1", host: "codenote.net"

That’s all.

Reference Information

• 踏み台にされたくないのでXML-RPCを無効にした | kwLog
• [WordPress] XML-RPC を使用する方法 | Sun Limited Mt.
• how to prevent access to xmlrpc.php with nginx.conf server block - DV Managed - (mt) Community Forums

That’s all from the Gemba.