It is possible to block traffic to xmlrpc.php directly on Cloudflare, stopping it from ever reaching your server.
This is only a really valid solution if you are also blocking traffic that is not originating from Cloudflare. If you have not already set this up, then it will still be possible for hackers to attempt to access and exploit it on your origin server directly. And, of course, this is easily configurable in just a single click via the Servebolt admin interface.
Where this will help is that, like with Accelerated Domains or CDN from Servebolt, the xmlrpc.php traffic from bad actors is stopped at the edge long before it reaches the server.
To block all traffic, login to Cloudflare admin, select the domain, click Security, click WAF, create a new firewall rule, and enter the details as shown in the photo below:
Rule Name = whatever you want to call it
Field = URI Path
Operator = equals
Value = /xmlrpc.php
Or you can “edit the expression” and paste it into the following code:
(http.request.uri.path eq “/xmlrpc.php”)
Choose the action of “Block” and save & deploy it.
Remember: because you have set this up, you will have to remember it exists. There might be a time in the future when you are wondering why xmlrpc.php is not working, and you cannot see it in your server configuration.
Note: If you use this method, you must ensure that your server is configured only to allow traffic that is coming through Cloudflare. As otherwise, it would be possible to bypass this.