[wp-hackers] XML-RPC Exploit?

Roy Schestowitz r at schestowitz.com
Wed Jul 6 06:42:25 GMT 2005

Quoting David Chait <davebytes at comcast.net>:

> Hey, a quick aside -- for users running OLD versions of WP (1.0, 1.2), is
> the xmlrpc.php a drop-in replacement, obviously with caveats related to
> updated fields in the database/table?  (I assume not necessarily, especially
> bc of changed tables, but worth asking...)
> And, for all versions, if only using the built-in admin screens and not
> third party composition apps, can xmlrpc.php be deleted?  (I looked in the
> codex, didn't find a quick answer... I assume so, but prefer to not assume!)
> Thanks, -d

I still run a modified version of WordPress 1.2.1 on two domains and I 
noticed a
question similar to yours asked in the forums, never to get a reply, yet.

There are two files I can identify as the roots of XML-RPC:

* wp-includes/class-xmlrpc.php
* wp-includes/class-xmlrpcs.php

the latter appears to be Matt's complement to the first. I chose to do the

chmod 0 wp-includes/class-xmlrpc.php wp-includes/class-xmlrpcs.php

Then, to avoid PHP warnings in your error logs, remember to disable Pingomatic
(you can still ping manually as it's painless):

Admin Panel -> Options -> Writing, then empty the 'Update Services' field.

I don't think you have an alternative as 1.2 (or earlier) is no longer
maintained. Whether the functions are flawed or not I don't know, but it's a
possible 'weapon' on the server, which I am scared of. I recently advised my
Web host to sniff around for unprotected WP 1.5 installations.


Roy S. Schestowitz

More information about the wp-hackers mailing list