WordPress 2.6 to disable client access by default

Daniel Jaikut reports that WordPress 2.6 will disable the Atom & XMLRPC protocols by default. These APIs are used by applications such as MarsEdit to let you post from your desktop. If you want to use a desktop blogging app, you need to go into the settings and explicitly enable remote posting. Hopefully, upgrading an old WordPress site will keep it enabled.

The developers feel that those APIs “expose a potential to be a security risk“. As far as I know, none of the recent WordPress attacks have involved XMLRPC.

I almost never make a blog post through the web interface; I do all of my blogging with MarsEdit (which I’m now using to write this post). I’m sure the majority of serious bloggers use a desktop client such as MarsEdit or Ecto rather than the web interface, so this will be an inconvenience for all but the most casual users. Since many people will re-enable XMLRPC, any security improvement will be negated.

A better solution would be to require a client key, as Flickr does, which you need to explicitly allow before that client can post to your blog.

Leave a Reply