XML-RPC on WordPress is actually an API or application program interface. It allows developers who make mobile apps, desktop apps, and other services to talk to your WordPress site. The XML-RPC API that WordPress provides allows developers to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.
These include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
This page on the WordPress codex provides a complete list of the WordPress API functions available to developers via XML-RPC. XML-RPC WordPress API « WordPress Codex
If you disable the XML-RPC service on WordPress, any application can no longer use this API to talk to WordPress.
Let’s use an example to illustrate: You have an iPhone app that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.
There are two common attacks on XML-RPC:
- DDoS via XML-RPC pingbacks.
- Brute force attacks via XML-RPC.
If you still want to disable XML-RPC, use the WP Ghost plugin to disable the option and whitelist the app IP addresses so you can safely use the XML-RPC calls.