[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option
WordPress Trac
wp-trac at lists.automattic.com
Wed Aug 15 21:08:28 UTC 2012
#21509: Enable XML-RPC by default and remove the option
-------------------------+------------------
Reporter: nacin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.5
Component: XML-RPC | Version:
Severity: normal | Resolution:
Keywords: has-patch |
-------------------------+------------------
Comment (by markoheijnen):
Replying to [comment:5 blobaugh]:
> Turning XML-RPC on by default is fine now that so many people are trying
to use the mobile apps to manage their installs, however removing the
ability to turn it off may be a bad idea. Security may not be as big of an
issue as it was previously, however keeping XML-RPC enabled provides an
addition surface for attack. Unless requested by clients I always ensure
their XML-RPC is disabled. Many security conscious folk add additional
layers of protect for wp-admin, such as moving it or through plugins, but
attackers would know the the XML-RPC was always hanging out there ripe for
the picking. Humans are not perfect, there will always be the possibility
of a bug causing a security hole. Keep the option and limit the risk.
I can see what you mean but I disagree the reasoning. There aren't a lot
of plugins adding XML-RPC stuff but the do for other things and plugins
are a big cause of security issues. Also if you really want to disable it
then just remove the xmlrpc.php file because plugins can add methods that
are always accessible even when you put xml-rpc off in your settings.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21509#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list