The reason is that it constitutes a great vulnerability in your wordpress websites security.
As a matter of fact, throughout our network we have discovered there is a popular way to attack your website by simply pinging your xmlrpc.php file of your wordpress website from multiple others wordpress websites.
While it doesn't affect our servers directly, due to resources isolation, it will generate a downtime on your website.
Since, it requires a very few amount of resources to put down a wordpress website it became quite popular.
Also, since the attacks is based from others websites, it may also involve your website into some outgoing DDoS attacks. (You can check the Sucuti website whether your website was involved in such attacks).
What is the XML RPC Protocol ?
The XML RPC protocol of wordpress behaves just as an API (Application Porgram Interface) allowing a remote access to your webistes to adminster it.
Thanks to this feature you will be able to publish, edit, delete a blog post / article, upload medias, list and edit your comments, change some administration options in settings, and list, edit, delete publish new categories.
How to enable the XML RPC Protocol for my website ?
Giving the gain of features and some popular plugins relying on this very protocol (Jetpack), you have of course the possiblity to unblock it directly from your control panel.
You can find the steps below :
1) Login to your FTP account and list your public_html directory or your addon domain directory.
2) Find and download the .htaccess file of your website.
3) Append the code below :
allow from all
This will forcefully allow the XML RPC protocol on your website.
4) In order to protect yourself from DDoS attacks, we would recommend you to install the 2 following plugins :
- Wordfence Security: This plugin would protect you from Brute force attacks based on the xmlrpc.php by banning client file along with protecting your websites from many vulnerabilities.
- Disable XML-RPC Pingback : It will block the pingback feature of your website preventing it from participating to attacks.
**Please note that if you have subdomains, addon domains using wordpress inside your public_html directory. This rule will be passed to them and it would expose you to DDoS attacks on all your wordpress installations so it would be recommeded to install the plugins on all your websites.**