[wp-trac] [WordPress Trac] #21509: Enable XML-RPC by default and remove the option
WordPress Trac
noreply at wordpress.org
Sun Oct 26 20:13:09 UTC 2014
#21509: Enable XML-RPC by default and remove the option
-----------------------------+---------------------
Reporter: nacin | Owner: nacin
Type: feature request | Status: closed
Priority: normal | Milestone: 3.5
Component: XML-RPC | Version: 4.0
Severity: major | Resolution: fixed
Keywords: 2nd-opinion | Focuses:
-----------------------------+---------------------
Comment (by redsweater):
Replying to [comment:20 andrebron]:
> > There are opportunities for the community to write plugins or better
documentation on how to block ping/trackback requests either at the PHP
level (e.g., by hooking the `xmlrpc_call` action and `die`ing for these
methods) or the web server/proxy level (e.g., nginx or Varnish). But just
disabling XML-RPC by default will not help with the DDOS issues.
>
> Another thought it entirely removing xml-rpc.php from core and only have
it installed when required. Not sure how to implement that but it's worth
considering since wp DDOS exploitability and reputation is somewhat on the
line.
Do you have any recent information to cite with respect to XML-RPC posing
a significant security risk? The article you cited is from March, and
since then the WordPress team has responded by hardening WordPress's XML
processing.
Because many people, among them the WordPress team's own iOS and Android
app teams, depend upon the XML-RPC API being enabled by default, you're
asking a lot to revive interest in disabling it. It will help a lot if you
bring a compelling, up-to-date argument for how it's posing a significant
risk to WordPress sites.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21509#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list