I recently ran into an issue on a Wordpress site running behind an nginx web server. The site was frequently being attacked by a botnet hitting /xmlrpc.php so rapidly, it would eventually force the FastCGI processes behind nginx to consume all available CPU. Naturally, this would cause all legitimate traffic to the site to timeout. My solution was to insert the following in the nginx configuration for the site:

location = /xmlrpc.php {
    deny all;
}

Although this change did not stop the brute force attack, nginx was able to handle it much more elegantly (read: not cratering the server) than php-cgi.