And above all else, use a randomly generated password, like the ones Wordpress suggests for you these days, and don't use it for anything else. Use a password manager (not your browser) so you don't have to remember it yourself.

Access to XMLRPC can be either blocked by your server, a lightweight plugin singular purpose plugin called Disable XML-RPC” by Philip Erb, or by adding the code directly to your website.

XMLRPC is a relic from the beginnings of Wordpress, which allowed publishing from desktop apps, which was the style at the time. It also powers the pingbacks and trackbacks that you're probably getting spammed with.

The bigger risk is XMLRPC, which is still accessible and exploitable even with the login url changed and completely bypasses two-factor authentication plugins.

I've been seeing a lot of posts talking about the best practices to keep Wordpress websites more secure. Most of the advice is solid but changing the login url may have unintended consequences and still leave you vulnerable.