Check the ‘order’ order. I do it this way:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
# allow from xx.xx.xx.xx #add allowed IP addresses
</Files>
And, to ensure it’s blocked, I add this to the functions.php file.
add_filter('xmlrpc_enabled', '__return_false');
Actually, I put the above command and others into a private plugin, so I don’t have to worry about Child Themes, or theme changes.
(Side note: I had a WP site compromised via an xmlrpc attack.)