XML-RPC in WordPress is commonly exploited for brute-force attacks.
Although the code has been improved over time and the likelihood of a successful brute-force attack via XML-RPC has been significantly reduced, XML-RPC remains a prime target. If a bot targets your blog, it can send tens of thousands of XML-RPC requests in an attempt to compromise your site.
Even if these attacks are unsuccessful, the volume of requests can consume server resources (RAM, CPU), negatively impacting your site's performance[5][7].
Given this, the best solution is to completely disable the XML-RPC service in WordPress. In fact, on all our hosting packages, direct access to the XML-RPC service is disabled by default.
