We are unable to tell you if you or anyone else on your site needs to login via the XML-RPC interface now or in the future – it is very unlikely that you would allow members to use that.
For example, if you install the application for WordPress on a smart phone or a tablet you will see that the login page doesn’t exist – that is because the application logs you in via the XML-RPC interface and not the login page below:
You can set our recommended brute force login attack protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page:
These rules also protect the WordPress XML-RPC interface with some useful background information below:
Thank you – that answers it very well 🙂