100% agree Eric - my apache logs are filled with blind requests from various bots looking for known issues
not just wordpress - I also see probes for joomla, phpmyadmin, etc ... some of the probes are for the wordpress wp-login page -
probably probing for a login with admin/admin -- that's the #1 reason why the admin user for my wp sites are not "admin" nor
are the the domain name, etc...
I was going to recommend
https://ithemes.com/sync/#plans but it looks like I've been grandfathered in - I am on their 10 site plan but have never paid $0 :)
Even to pay for it, its worth the ability to see all your wordpress sites and update them from a single dashboard.
I've personally had the wordpress xmlrpc sub system exploited to hack a couple of my sites - the same type of injection used on the WUBI website.
Best way I've found to block it is to do a straight up .htaccess deny - as well as chmod 000 xmlrpc.php
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
I've also tried this but this does not work well from a VPN where you never know what your IP is going to be
based on my public IP from ATT, this would let me in but deny all others.
RewriteEngine on
#RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
#RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ [OR]
#RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [OR]
#RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$
#RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1$
#RewriteRule ^(.*)$
http://go-away.com [R]
#RewriteRule ^(.*)$ - [R=403,L]
things like mod_security are useful as mod_security will watch the apache $POST requests for things like sql injects, etc.