xmlrpc is enabled by default. But your plugin might have disabled it, so your WordPress system doesn’t allow any external apps to post to your blog.
It’s totally secure to just leave xmlrpc enabled. Most WordPress websites (even the most popular ones) have it enabled. For examples,