Hello maestrom,
unless you are using some external services to access your WordPress installation you do not need xmlrpc.php. On Wordfence "Options" page under "Other options" and the setting "Immediately block IP's that access these URLs" you can enter "xmlrpc.php". This will cause anyone who tries to request that URL to be blocked.
xmlrpc.php can be used for logging in. This is why malicious users are requesting it.