I've used Defender Pro to disable XML-RPC and it's listed under the Security Tweaks as being "Resolved", however, when I run your WP Checkup tool it lists XML-RPC as being enabled. I actually had this problem with another website of mine running Defender Pro where the site actually was attacked using XML-RPC even though I thought it was disabled. I contacted my host provider (Cloudways) and they confirmed that it wasn't disabled and was being exploited. I had to add a custom code to my functions.php file in that case to actually disable it.
Could you guys please look into this and help to identify why this is happening?