The eosio::net_api_plugin was made optional for this very reason. No producer or public endpoint should be running with this plugin and it is a simple config file change.

I feel like the intro to this post is overly alarmist way to support an otherwise worthwhile effort at securing block producing nodes.