In the root of your main FTP account, you'll find an .htaccess file - in this file you'll find something like this:
<Files xmlrpc.php>
Order Allow,Deny
Deny from All
</Files>
You can simply remove this code, and it will allow xmlrpc.php again. But expect increased resource usage and massive bruteforce attacks.
------------------------
What is xmlrpc.php?
XML-RPC is a RPC protocol that uses XML for communication, it's basically a small API around your application that you can talk to using XML.
xmlrpc.php in WordPress simply calls a bunch of WordPress functions, and it allows you to programtically manage your website and perform certain actions on your WordPress website.
Why is it bad?
xmlrpc.php isn't exactly bad, however it opens up for performing brute force amplification attacks, which uses both a lot of resources, but also increases the risk of your website getting compromised.
WordPress xmlrpc.php implements a function called system.multicall which allows you to perform the same action over and over again, this means an attacker would be able to test thousands of passwords against your WordPress site with only a few amount of calls instead of trying to brute force using wp-login.php
Why do you block it?
We block xmlrpc.php from getting accessed by default on all our hosting plans, we do this because the actual usage of xmlrpc.php are quite minimal, less than 1% of the WordPress sites we host, actually make use of it.
Allowing xmlrpc.php increases the chances for large brute force attacks which is a security concern, but at same time the amount of resources spend processing these xmlrpc.php brute force attacks can be spend better.
So it boils down to security and resource usage.
Every single day we're blocking more than 25.000 brute force attacks coming from xmlrpc.php, each call containing on average about 400 passwords - that's equal 10 million login attempts per day.
Do the blocking affect my site in any way?
If you're using JetPack plugin or the WordPress application your mobile devices, then we advise removing the block, external systems that do make use of xmlrpc.php would have to either be whitelisted by IP, or simply remove the block.
If you're not using a plugin that relies on xmlrpc.php (99% of sites doesn't), then it won't have any issues at all due to the xmlrpc.php block.
xmlrpc.php is an external API endpoint, WordPress itself doesn't use - so your sites functionality won't stop working due to a block of xmlrpc.php
My error log shows it got blocked, is that an issue?
If you look in your "Errors" page in cPanel you might see entries that look similar to the one below:
[Sat Jan 14 02:41:21.751184 2017] [access_compat:error] [pid 416005:tid 140428175173376] [client 176.139.XX.X:63XXX] AH01797: client denied by server configuration: /home/XXXXXXXX/public_html/xmlrpc.php
This error comes from the Apache module "mod_access_compat", it's basically the output from "allow,deny" entries from the block we have. Whenever something goes against a certain restriction, the Apache module will log an error that it blocked a request.
These errors are expected since these brute force attacks happens constantly, and it's just an indicator that a request of any kind to xmlrpc.php got blocked.