Disabling XML-RPC on a WordPress Website is Necessary
The file xmlrpc.php has been a part of WordPress core since its early days. Although it used to be disabled by default, it is now enabled by default, and an option to disable it can be found in the WordPress dashboard.
Previously, it served as a means of communication with any other system alongside a WordPress website. Through the XML-RPC API, remote communication could be established with mobile apps, other websites, or systems.
However, it is now considered a security issue as it can be exploited for brute force attacks, attempting various username and password combinations to gain access to the website, even if the login panel/dashboard link is hidden. Several security tools are available to address brute force attacks on xmlrpc.php.
Using XML-RPC, distributed denial-of-service (DDoS) attacks can also be performed utilizing the pingback system. Moreover, xmlrpc.php can be used to spoof thousands of IP addresses from numerous websites.
To check if XML-RPC is enabled on your website, you can search for "XML-RPC Validator" and check. While there are various ways to secure it, the best practice is often to disable it, especially since the newer REST API is replacing XML-RPC.
To disable it, you can install the "Disable XML-RPC" plugin on your WordPress website, which can be found in the plugin directory. Additionally, you can disable access to xmlrpc.php using .htaccess.