[wp-hackers] Is disabling remote client access a good idea?
Daniel Jalkut
jalkut at red-sweater.com
Wed Jun 25 04:32:27 GMT 2008
On Jun 25, 2008, at 12:19 AM, Dan Coulter wrote:
> Most (possibly all) of POST calls on the admin side are also secured
> with a
> nonce.
Every XMLRPC interface is secured with a user name and password. At
least as much as would be required to obtain a "nonce" via the web
interface, right?
The bottom line is that users are getting into their blogs via the
web. Using GETS and POSTS, and providing passwords when needed.
It does seem a bit arbitrary to me, to call out these two URLs, the
ones corresponding to AtomPub and XMLRPC, and treating them as if
they're in some way more vulnerable to attacks than all the other URLS
in the blog system.
Daniel
More information about the wp-hackers
mailing list