Hi,
In and of itself, having xmlrpc.php accessible is not a risk. It is possible for plugins to introduce a vulnerability, but on the whole, it is safe to use. It is also how the WordPress mobile apps interact with your site.
We generally don’t suggest IP level blocks since we have a pretty big IP space that Jetpack-related connections could be made from and as our IP space changes, it could introduce odd behavior (or stop working completely) that could be difficult to isolate.
Cheers!
I have it working after adding the IP block from Jetpack as below in htaccess file.
# protect xmlrpc
<FilesMatch “xmlrpc\.php$”>
order deny,allow
deny from all
allow from 216.151.209
allow from 66.135.48
allow from 69.174.248
allow from 76.74.255
allow from 216.151.210
allow from 76.74.248
allow from 76.74.254
allow from 207.198.112
allow from 207.198.101
allow from 198.181.116
allow from 192.0.64
allow from 66.155.8
allow from 66.155.38
allow from 72.233.119
allow from 209.15.21
</FilesMatch>
@wongplanner While that can work for a while, our IP addresses change from time to time, so you’ll experience issues when we add new IP ranges.
Instead, I’d recommend allowing access to everyone, but blocking pingback requests with a plugin like this one:
https://wordpress.org/plugins/disable-xml-rpc-pingback/
I hope this helps.