There’s plenty of guides[1] for blocking xmlrpc.php from non-WordPress user agents using Apache and IIS, but so far I haven’t found one for doing the same in Nginx. Using the aforementioned guide I converted the Apache script into an Nginx compatible config section, just add it to your WordPress server{} section.
Here’s how to do it:
location = /xmlrpc.php { if ($http_user_agent !~* "(poster|wordpress|windows live writer|wp-iphone|wp-android|wp-windowsphone)") { return 403; } try_files $uri /index.php; include /etc/nginx/fastcgi_params; fastcgi_pass php; }