[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option

WordPress Trac noreply at wordpress.org
Sun Oct 26 20:13:09 UTC 2014


#21509: Enable XML-RPC by default and remove the option
-----------------------------+---------------------
 Reporter:  nacin            |       Owner:  nacin
     Type:  feature request  |      Status:  closed
 Priority:  normal           |   Milestone:  3.5
Component:  XML-RPC          |     Version:  4.0
 Severity:  major            |  Resolution:  fixed
 Keywords:  2nd-opinion      |     Focuses:
-----------------------------+---------------------

Comment (by redsweater):

 Replying to [comment:20 andrebron]:
 > > There are opportunities for the community to write plugins or better
 documentation on how to block ping/trackback requests either at the PHP
 level (e.g., by hooking the `xmlrpc_call` action and `die`ing for these
 methods) or the web server/proxy level (e.g., nginx or Varnish). But just
 disabling XML-RPC by default will not help with the DDOS issues.
 >
 > Another thought it entirely removing xml-rpc.php from core and only have
 it installed when required.  Not sure how to implement that but it's worth
 considering since wp DDOS exploitability and reputation is somewhat on the
 line.

 Do you have any recent information to cite with respect to XML-RPC posing
 a significant security risk? The article you cited is from March, and
 since then the WordPress team has responded by hardening WordPress's XML
 processing.

 Because many people, among them the WordPress team's own iOS and Android
 app teams, depend upon the XML-RPC API being enabled by default, you're
 asking a lot to revive interest in disabling it. It will help a lot if you
 bring a compelling, up-to-date argument for how it's posing a significant
 risk to WordPress sites.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21509#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list