WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Disable XML-RPC? (3 posts)

  1. gcaleval
    Member
    Posted 1 year ago #

    I note that the Core team decided it would be a feature to force admins to having XML-RPC always enabled. From the 3.5 Codex:

    XML-RPC: Now always enabled and supports fetching users, managing post revisions, searching

    While turning it permanently on, it was also decided to continue reducing the choices web admins can make, i.e. prevent them from being able to easily disable XML-RPC. So the setting was removed from the Writings screen.

    Lots of sites have no good purpose for having XML-RPC enabled. Lots are not bound up in remote blogging or see their sites as aimed devices the size of your hand. Or "integration" services that only work by pulling user lists from your site. Or, or, or ...

    Is there a way to disable this new access to "fetching users, posting revisions" and so on.

    I note with concern the alert and code posted on securityfocus.com:

    [With WP 3.5] "You can now even scan the server itself or discover some hosts on the internal Network this server is on.
    So i wrote this little Ruby Script to utilize this "feature":

    https://github.com/FireFart/WordpressPingbackPortScanner

    You can even use multiple WordPress XML-RPC Interfaces to scan a single host so this can be some kind of distributed port scanning.

    Build a door for hackers and you know they are going to start knocking. Today it's site profiling and port scanning. Tomorrow it will be attempts to "fetch users." It seems reasonable that the people exposed to such adventures should be only those who actually need or want the functionality XML-RPC provides. If the rejoinder is that the WP implementation is perfectly secure, I say nothing is perfect and why does it matter? Why should we force sites to carry functionality they don't need?

    For now I am locking down the xml-rpc.php file through htaccess, but if there is a better way, I'd appreciate knowing.

    I also would benefit from an understanding why the Core team thinks removing options from web admins is a good direction for WordPress. I can get that the belief that everything must be tied to handhelds so building such functionality into core rather than as a plugin. But why the compulsory adoption?

    But -- I do express my sincere appreciation for the enormous efforts contributed by the core team. I'm truly grateful for your work and the wonderful product you create in WordPress.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

  3. gcaleval
    Member
    Posted 1 year ago #

    Thank you esmi. That was a very helpful link!

Topic Closed

This topic has been closed to new replies.

About this Topic