XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism.
Since WordPress is not a self-enclosed system and occasionally needs to communicate with other systems, this was sought to handle that job.
The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site.
The are two main weaknesses to XML-RPC are:
Using brute force attacks to gain entry to your site.
An attacker will try to access your site using xmlrpc.php by using various username and password combinations.
They can effectively use a single command to test hundreds of different passwords.
This allows them to bypass security tools that typically detect and block brute force attacks.
The second was taking sites offline through a DDoS attack.
Hackers would use the pingback feature in WordPress to send pingbacks to thousands of sites instantaneously.
This feature in xmlrpc.php gives hackers a nearly endless supply of IP addresses to distribute a DDoS attack over.