XML-RPC is an xml based protocol that is used to perform actions on a remote server. XML-RPC is an abbreviation for eXtensible Markup Language and Remote Procedure Call. It is a remote procedures calling protocol. It uses XML language to converse and HTTP as its transport mechanism.
XML-RPC is the protocol of choice for a variety of reasons by a variety of frameworks and servers. Inside the WordPress framework, it provides many different functionalities. It is used to get information about posts, pages, taxonomy, media, comments, users and so on… It is also used to publish new posts, retrieve comments, receive trackbacks and pingbacks, among other things! It pretty much allows you perform all blog related activities, from a remote point of access, without using the user interface.
The XML-RPC protocol has been enabled by default in WordPress since version 3.5 and it no longer gives you the option to turn it off from within the user interface, but the XML-RPC feature won’t be required if you are not using any of the functionalities mentioned in the previous paragraph. It is NEVER a good idea to keep an unused interface open for the public when it offers a potential security risk. Despite, the WordPress implementation of XML-RPC is pretty good nowadays and relatively free of risks…
If YOU want to leave the xmlrpc.php file intact but at the same time prevent access to it, you may paste the following code into your Apache Server root’s .htaccess file:
RedirectMatch 403 /(.*)/xmlrpc.php$
Perhaps the safest way to eliminate potential security vulnerabilities is to simply remove the XML-RPC script… but we do not advise you to do it…