validator.w3.org
WordPress xmlrpc.php Protection
In early 2014, an exploit attack started being regularly levied against and through WordPress sites via their xmlrpc.php files.
Since then, access to xmlrpc.php has been blocked by default on all our shared hosting servers, but site administrators can allow access at any time with standard .htaccess directives.
Important
We strongly advise against ever removing the default security provided by our server configuration unless you know that you truly need to allow access to your xmlrpc.php files.
However, if you do ultimately decide to allow access, you can easily do so either by renaming the file and updating your code accordingly, or by adding an override directive to a .htaccess file.
A minimal override in .htaccess to allow access to xmlrpc.php would be along the lines of...
<FilesMatch "^xmlrpc\.php$"> Require all granted </FilesMatch>