Definitely disable it. I also rename it and/or delete it from site root.
Don't get me started on how lame this thing is in being yet another attack vector we all have to deal with, no thanks to Wordpress.
I use the plugin "Disable XML-RPC" which seems to play nice with other plugins including Wordfence.
MTN