Instead of blocking access to XML-RPC, we’d suggest enabling Jetpack’s Protect module, it will protect your site against the type of attacks mentioned in this post.
You can read more about it here:
http://jetpack.me/2015/10/12/jetpack-protection-from-brute-force-xml-rpc-attacks/
Another alternative is to use a Website Firewall like the one recommended by Sucuri, or the one available with CloudFlare.
You could also build your own solution based on open source tools like fail2ban.
It’s worth noting that while the REST API is on its way to Core, it’s not in the current stable version of WordPress yet. Once it will be, we can consider moving away from XML-RPC. This probably won’t happen in a week, though, and it’s important to understand that it won’t solve all these brute force issues. Hackers will most likely start targeting the REST API instead of XML-RPC as soon as it becomes more widespread than XML-RPC.
For these reasons, I’d recommend using a plugin or a service that will protect you from these Brute Force attempts. You can also talk to your host about it, as they most likely have their own measures in place to deal with these issues. After all, they have a lot to gain by protecting their own servers from that kind of abuse 🙂
I hope this helps!
