I have a bit of WP experience at this point. The XML-RPC functionality is actually used a lot by folks who use Microsoft LiveWriter and other tools to write in WP. It is also a known security nightmare for some time. STH does not have XML-RPC active for that reason.
The "pingback" functionality in WP is fairly common. It refers basically to the functionality that lets you see when another site has cited a post. You can see on many WP blogs a series of entries in the comments sections with quotes and links to other web properties. This is another functionality STH has had turned off for years now since it is a favorite target for spammers looking to get links to their sites.
WP Spam is absolutely crazy. Last month I think STH got somewhere around 1500 spam comments a day. This month it is averaging over 3000. September 2013 was around 750/ day.
Bottom line is that WP is so widely adopted with tens of millions of installations that it is a huge attack vector. I know that many larger sites such as Tom's and Anandtech are custom written CMS which gives a little "security by obscurity" but we all know that is not worth too much.
Hopefully that is somewhat useful to those that are not overly versed in the administration side of WordPress. I am by no means a WP expert, but I do have some experience.