XML-RPC, or XML Remote Procedure Call allows you to interact remotely with your site and build your community. WordPress apps for mobile phones allow you to use your WordPress.com credentials to access any WordPress site with your user rights. This poses a big security issue if someone else gets your password. XML-RPC is vulnerable to Brute force attacks and Denial of Service Attacks via Pingback. There are ways to improve security but there is always a trade-off between security and convenience. You can use long complicated passwords or turn off XML-RPC in your settings.You can also partially disable XML-RPC using plugins such as Stop XML-RPC Attack, Control XML-RPC Publishing or some general-purpose security tools with brute-force protection. The REST API team is working to resolve the XML-RPC problem by using OAuth protocol. REST API is not yet ready but is available for testing on non-production environments.
Read the full article here:
XML-RPC and Why It’s Time to Remove it for WordPress Security