WordPress to Disable XMLRPC by Default?
Three different people have alerted me to a minor storm in a tiny teacup over the news/rumor/allegation that WordPress are to disable XMLRPC publishing by default
In order to protect the majority of blogs which don’t use these protocols against any possible security vulnerabilities we should disable them by default.
Really? Is this what we are supposed to be getting upset about? As westi says:
from WordPress 2.6 onwards you will need to go into the Settings->Write page and enable them individually if you want to use them.
That doesn’t seem much of an ordeal. I imagine half of the readers of this blog are saying “What the heck is XMLRPC?” and the other half are quite aware of what XMLRPC is and do not much care if it is off by default.
XMLRPC is the way that you can control your blog without using the blog user interface. It’s the method that offline blogging tools like Ecto and Scribefire use to add content to your blog. As you can imagine from my description, this is powerful stuff, and it is quite right that if they believe there is a security hole to be filled that they should turn their wary eye towards it. Many hosting companies have been wary of XMLRPC, even down to making it difficult for people to enable it.
I can certainly understand the remote editor community getting upset. For them it is an extra hoop for end users to jump through, their products are meant to make things easier and this will be a hinderance. As Daniel Jalkut (Marsedit) says
For users who would find value in a remote client, this decision will put one more roadblock in their way
My main question is, what exactly is the security concern they have with XMLRPC? Why now? If there is a clear danger, fair enough, but if this is the WordPress developer equivalent of security theater, well, let’s not bother eh?
Related posts:
- A Better Blog Contact Form
- Top 5 Community Building WordPress Plugins
- WordPress Based Membership Site
- Crumb Trail Navigation in WordPress
- WordPress 2.5 Versus WordPress.com
Posted on June 26, 2008 by Chris Garrett
Filed Under Blogging
Comments
2 Responses to “WordPress to Disable XMLRPC by Default?”
Leave a Reply
- The Excel Magician: 70+ Excel Tips and Shortcuts to help you make Excel Magic
- Conversion Central: 101 Tools to Convert Video, Music, Images, PDF and More
- Using Mind Maps for Creativity, Note-Taking and Productivity
- Announcing the Creative Commons PDF Converter
- The Freelancer's Toolset: 100 Web Apps for Everything You Will Possibly Need
- Adobe
- Blogging
- Cogniview
- Collaboration
- Content Licensing
- Copywriting
- Creative Commons
- Enterprise 2.0
- Excel
- Excel Template
- Excel Tips
- Funny
- IT
- Methodology
- Microsoft
- Office 2.0
- Productivity
- Sad
- Series
- Software Tools
- Uncategorized
- Video Tutorials
- Web 2.0
-
Keep this site going
Subscribe with RSS
While I’m not clued up about the finer details of XMLRPC, almost every feature you have in software is a potential security threat. A feature that allows remote administration incredibly so.
Simply put, the fewer features like that, the less hackable you are, as the (jargon alert) “attack vector” is reduced.
Some horrible attacks (Code Red for example) have occurred due to seemingly innocuous features.
It’s just good practice to start with only what you need, and open features as required.
I can understand Ecto’s point of view, but on the whole, if people loose faith in Wordpress, that doesn’t help them either.
If I recall correctly, there have been at least one serious wordpress vulnerability recently, so they’re probably trying to make sure it doesn’t happen again.
Wordpress 2.6 is supposed to (rumor has it) fix the potential of a SQL injection attack. I wonder if this has to do with the XMLRPC? I cannot seem to find any information anywhere on Wordpress.org that specifically addresses the huge issue this caused recently. Maybe they don’t want to admit to such a huge hole? or am I just missing something?