[wp-hackers] XML-RPC Exploit?

Dougal Campbell dougal at gunters.org
Wed Jul 6 14:03:45 GMT 2005

David Chait wrote:
> Hey, a quick aside -- for users running OLD versions of WP (1.0, 1.2), 
> is the xmlrpc.php a drop-in replacement, obviously with caveats related 
> to updated fields in the database/table?  (I assume not necessarily, 
> especially bc of changed tables, but worth asking...)

I don't know for sure, but I doubt that it would work unaltered. I think 
that between 1.2 and 1.5, several functions related to xmlrpc.php were 
moved/modified. Plus we switched from the Useful, Inc. xmlrpc libraries 
to Simon Wilison's IXR library (which should be pretty transparent as 
far as the WP API goes, but...)

> And, for all versions, if only using the built-in admin screens and not 
> third party composition apps, can xmlrpc.php be deleted?  (I looked in 
> the codex, didn't find a quick answer... I assume so, but prefer to not 
> assume!)

As long as you don't need incoming or outgoing pingbacks, and if you use 
the web interface for managing your content, then you can safely delete 
xmlrpc.php and the associated libraries (class-xmlrpc.php and 
class-xmlrpcs.php in pre-1.5 versions, class-IXR.php in ver 1.5+). You 
probably just need to make sure that you disable the ping-related 
options in admin.

Dougal Campbell <dougal at gunters.org>

More information about the wp-hackers mailing list