Basically the xmlrpc.php file is an API that allows you to publish posts and comments using external applications, including the official WordPress app for Android and iOS. the
xmlrpc.php is required for the following types of activity:
- Posting directly to your blog using TextMate, Flock, Windows Live Writer and other weblog clients
- Posting directly to your blog using Eudora, Thunderbird, and other email apps
- Receiving pingbacks and trackbacks to your site from other blogs
For example You create a website, publish the content and within a few weeks people try to repeatedly log in. These login attempts come from botnets, they are automated and their goal is simple “break into as many websites as they can by guessing their passwords.” Once they find one that matches, they take over of the site and use it to distribute malware, spam and similar activities.
To test, I installed the WordPress app on my Android and access the admin panel with my username, password and domain, I realized that my site was slower and the server-side processing was abnormal . After analyzing the access log of the site, I found a number of requests to post xmlrpc.php File in WordPress. Requests to the method post can not be cached, which means that all these accesses were hitting directly in web servers, taking extreme CPU usage.
Renaming the xmlrpc.php file seems a valid solution, but the requests were still being processed by the PHP, returning to the 404(s) error(s). The best solution then would be to block access to direct xmlrpc.php in web server or Varnish.
If you use Apache on your server, you can implement the lock on .htaccess, but by blocking access to xmlrpc.php, you will no longer be able to use the WordPress app on your Android or iOS (or any other application).
Anyway if you do not use any external application, or if it is not essential to manage your WordPress website from Android, iOS or other external applications, I recommend that blocks xmlrpc.php file, or remove it from your server.
To learn more about this API click here.