With the exception of Jetpack's IP address ranges we block access to Wordpress' xmlrpc.php due to the amount of prolific abuse directed at this function.
If you have an application that needs to be able to use Wordpress xmlrpc.php function, you'll need to add this to the top of the site's .htaccess file to allow your application to use xmlrpc.php:
<FilesMatch "^(xmlrpc\.php)">
Order Allow,Deny
Allow from all
</FilesMatch>
We'd recommend protecting your site's xmlrpc.php function using a web application firewall within your Wordpress if you elect to unblock xmlrpc.php using the above.
Supporting information:
Wordpress' xmlrpc.php function allows for the ability to make blog posts (for example) from a connected device, such as a smartphone. There's the submission of a username and password to xmlrpc.php when a blog post is made.
Consequently xmlrpc.php can be used to effectively log in to a Wordpress site.
As few sites have xmlrpc.php adequately protected, malicious parties can use the xmlrpc.php to brute force (repeatedly guess usernames and passwords until the correct credentials are deduced) Wordpress based sites. Should the xmlrpc.php function not be protected, the site is vulnerable to brute forcing, even if the standard Wordpress dashboard logins are protected.
It's due to the lack of protection of xmlrpc.php and the repeated brute forcing attempts directed at xmlrpc.php that we have the default blocking in place.
