This is a best practice modification - wordpress is such a commonly used CMS, it is targeted very frequently for brute force logins, sql injections etc. 

One of the best ways that we have seen to simply prevent server load that can be caused by a bot hitting the login and xmlrpc pages over and over, is to place an httpd auth in front of it.

Create a password protected directory, user/pass in cpanel.  You can also do this manually, just modify paths below.

Then, in your .htaccess in the root of your wordpress installation:  This will create a secondary login that you must pass, in order to even see the wordpress login pages.    This is useful for wordpress sites that have only a few administrators, and no public logins.

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php|xmlrpc.php">
AuthName "Authorized Only"
AuthUserFile "/home/cpaneluser/.htpasswds/public_html/passwd"
AuthType Basic
require valid-user
</FilesMatch>

<Files 403.shtml>
order allow,deny
allow from all
</Files>