If you don't use the WordPress mobile app or Jetpack, disable xmlrpc.php via .htaccess . Force HTTPS: Prevent credential sniffing on the login page.
If you are currently running WordPress 4.1.31 and suspect a breach, follow this IR checklist: wordpress 4.1.31 exploit
If an attacker uses your 4.1.31 site to launch a phishing campaign or host malware, you become the definition of a negligent party. If you don't use the WordPress mobile app