XML-RPC is a WordPress feature (xmlrpc.php) that allows remote posting and pingbacks — it's also one of the most commonly abused endpoints for brute-force login attempts and DDoS amplification attacks, and most sites never actually use its legitimate functionality.
WordPress's xmlrpc.php is a classic, still-actively-exploited target — attackers use it for brute-force login amplification (checking hundreds of password combinations in one request) and as a DDoS pingback relay against other sites.
/xmlrpc.php is disabled or restricted, unless a specific integration you actively use requires it.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →