The xmlrpc.php file is the file used by WordPress to allow remote management actions to be carried out on your WordPress site, such
as creating and publishing posts from mobile apps or central publishing dashboards, updating plugins and more.
If you're not using any of those remote management features, disabling the xmlrpc.php file will help protect your WordPress site and reduce potential excessive resource usage for your WordPress site, as well as protect it from attack.
There are a number of ways to disable it, but in this guide, we'll focus on one method - editing your site's .htaccess file
1. Log into cPanel.
2. Open the File Manager.
3. Click on the Settings icon in the top right corner
4. Tick the box to "Show Hidden Files (dotfiles)" and then click Save
5. Click on the .htaccess file once, and then click Edit in the toolbar
6. Click the Edit button on the window that appears
7. Add the lines below at the bottom of the file:
Deny from all
# Allow from 127.0.0.1
If you're using a remote management panel, remove the # from the start of the Allow line, and add in the IP address for the server that runs your remote management service. You can get this information from their support team.
8. Click the "Save Changes" button in the top right hand corner.
Congratulations. You've now protected your site's xmlrpc.php file from attacks.