Support » Plugins » Working with XML-RPC

  • Hi Guys,

    I developed the Absolute Privacy plugin. It makes users have to log into view the blog (among other things). Obviously this means that users using xml-rpc on their blog will not have access (such as the iPhone app).

    How can I still make the xml-rpc protocol available while still redirecting non-logged in users to the login page? I tried adding the protocol function to the login header but can’t seem to get it to work still.

    I tried this:

    ‘add_action(‘login_head’, ‘rsd_link’);`

    When doing the above, rather then saying it couldn’t find the xml-rpc file, the iPhone app said that the username/password combination was wrong (even though I knew I was using the right login credentials).

    Any suggestions?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Doing a quick look through your plugin code I see that you are overriding the default wp_authenticate() function. And early on it does this check:

    if(!isset($_POST['wp-submit'])) return new WP_Error('user_login', __('<strong>You must be logged in to view this site</strong>.'));;

    Which will always fail for XML-RPC requests. So your wp_authenticate() always returns a WP_Error object, which the XML-RPC login method looks for and always returns the bad username/password text:

    if (is_wp_error($user)) {
                $this->error = new IXR_Error(403, __('Bad login/pass combination.'));
                return false;

    One thing you could do is skip your additional checks XMLRPC_REQUEST is defined as true.

    Ok, I’ve made an update that works now with the iPhone app, but I’m not sure if there are any security issues with this:

    if(!function_exists('wp_authenticate')) {
    	 function wp_authenticate($username, $password) {
    		global $wpdb, $error, $absolutePrivacy;
    		$username = sanitize_user($username);
    		$password = trim($password);
    		$user = apply_filters('authenticate', null, $username, $password);
    		if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST ) return $user; //allows the XML-RPC protocol for remote publishing

    I also found that I didn’t need to include the RSD link in the wp_login header like I thought I did.

    I tested this with 2.8.1 and it worked, haven’t tried with 2.7.

    The XML-RPC code expects to get a WP_Error object back if auth fails:

    $user = wp_authenticate($username, $password);
            if (is_wp_error($user)) {
                $this->error = new IXR_Error(403, __('Bad login/pass combination.'));
                return false;

    So you should probably check $user after the auth filter and make sure to return a WP_Error if it fails. Basically the same thing that the original wp_authenticate function does.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Working with XML-RPC’ is closed to new replies.