XML-RPC is an outdated and verbose use of XML over HTTP to make API calls, sometimes errantly used as a synonym of MetaWeblog API (the most well known example thereof), that enables and implicitly encourages using your actual username and password (instead of OAuth) with client software, thus overprivileging that software, as well as possibly transmitting your password in the clear over HTTP.
How to disable
If you have any experience with these methods, please add it here!
- There is a plugin Disable XML-RPC
- Or follow these instructions: http://wordpress.stackexchange.com/a/219666
“XML-RPC does not add any value over XML … 4 times the number of bytes compared to plain XML to encode the same objects, which is itself verbose compared to JSON.” More:
Encourages Password Antipattern
XML-RPC depends on the user’s username and password being entered into every third party XML-RPC client software to send to the XML-PRC server, an example of the password antipattern.
Encourages passwords over HTTP
Even if both client and server are from the same manufacturer / project, because XML-PRC depends on username and password being transmitted, possibly in the clear (i.e. over HTTP not HTTPS), it makes the user vulnerable to network traffic sniffing, and thus use of XML-RPC apps creates a likely security risk for users.