The WordPress XML-RPC protocol is outdated and vulnerable to attack. In light of numerous attacks recorded in our web logs, we decided it prudent to disable it for all WordPress websites.
For an explanation of what XML-RPC is, its replacement by the new WordPress API, and why the presence of XML-RPC may be problematic, have a read through the excellent Kinsta blog post.
Our weblogs are filled with evidence of XML-RPC attacks — in some cases these attacks are so severe that they noticeably slow down the server. With immediate effect, we are blocking access to xmlrpc.php on all websites.
You may be using a security plugin on your website to thwart XML-RPC attacks, but those attacks still go through to your WordPress installation for processing and dismissal. With the way we are now blocking XML-RPC requests, the attacks will be deflected immediately and not even reach your website, protecting both your website from the attack and the server from overloading.
We understand that there are legitimate uses of XML-RPC, such as Jetpack (for the sake of compatibility with older versions). For this reason we are whitelisting the Jetpack server IP addresses to still be able access xmlrpc.php. Should you find that this new limitation breaks functionality on your website, please contact us.