[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option
WordPress Trac
noreply at wordpress.org
Wed Dec 26 15:25:29 UTC 2012
#21509: Enable XML-RPC by default and remove the option
-------------------------+---------------------
Reporter: nacin | Owner: nacin
Type: enhancement | Status: closed
Priority: normal | Milestone: 3.5
Component: XML-RPC | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch |
-------------------------+---------------------
Changes (by digip):
* cc: digip (added)
Comment:
Just wanted to let people know, if you want the function disabled, and not
just from logging in, but fully disabled, you can filter the class itself.
The reason being, someone has already come out with an exploit for this,
that turns WordPress xmlrpc.php into a port scanner. My fix was to create
a plug-in that uses a similar filter to the one above, but instead of:
{{{
add_filter( 'xmlrpc_enabled', '__return_false' );
}}}
I changed it to:
{{{
add_filter( 'wp_xmlrpc_server_class', '__return_false' );
}}}
You can download the plug-in from my site, or you can just add that line
of code, to your current themes functions.php file. If the theme updates
automatically though, and replaces the file, you will have to add it back
every time. This is why I created a stand alone plug-in to address this
issue, since it can not only be used to port scan the local server, it can
also be used to send false pingback spam to other sites.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21509#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list