XML-RPC for WordPress was designed to enable remote connections between your site and external applications.

WHY SHOULD I DISABLE XML-RPC?

There are security risks associated with leaving XML-RPC enabled. 
These can include: Brute Force Attacks and DDoS Attack

There are two ways.

1. Custom code in function.php

add_filter('xmlrpc_enabled', '__return_false');
add_filter('wp_headers', 'removeXPingback');
add_filter('pings_open', '__return_false', 9999);
function removeXPingback($headers) {
	unset($headers['X-Pingback'], $headers['x-pingback']);
	return $headers;
}

2. .htaccess

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

You can replace xxx.xxx.xxx.xxx with an IP address you wish to give access to xmlrpc.php. If you wish to remove access completely, you can simply remove this line.

3. Using EC Addons