If you disable XML-RPC authentication, the number of spam account registrations on WordPress will drop by at least 90%. Do not delete this xmlrpc. php file. Disable it via a plugin or manually with a code.
Disable XML-RPC authentication
If disabled, XML-RPC requests that attempt authentication will be rejected, whether the user has 2FA enabled or not.