Most WordPress sites should block or restrict xmlrpc.php if they do not use legacy mobile publishing, pingbacks, Jetpack features or remote integrations that still depend on it. The safe choice is to audit dependencies first, then block, restrict or allowlist based on evidence.
XML-RPC risk depends on site ...