There’s plenty of guides[1] for blocking xmlrpc.php from non-WordPress user agents using Apache and IIS, but so far I haven’t found one for doing the same in Nginx. Using the aforementioned guide I converted the Apache script into an Nginx compatible config section, just add it to your WordPress server{} section.
Here’s how to do it:
location = /xmlrpc.php {
if ($http_user_agent !~* "(poster|wordpress|windows live writer|wp-iphone|wp-android|wp-windowsphone)") {
return 403;
}
try_files $uri /index.php;
include /etc/nginx/fastcgi_params;
fastcgi_pass php;
} 