XML-RPC enabled by default in WordPress 3.5

The XML-RPC service was disabled by default for a long time because it was considered a security hole (e.g. comment and trackback spam). This setting will change with version 3.5.

“Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.
There is no longer a compelling reason to disable this by default. It's time we should remove the option entirely.”

(Andrew Nacin, Ticket #21509)

If you're updating your installation to v3.5 the option enable_xmlrpc will be removed from the database meaning that the service will be enabled even if you had disabled it in the settings. The (now marked as deprecated) filters pre_option_enable_xmlrpc and option_enable_xmlrpc will still be respected.

Nevertheless it's still possible to disable the service though it's a bit more difficult. WordPress v3.5 introduces the filter xmlrpc_enabled:

add_filter('xmlrpc_enabled', '__return_false');

You can add this code to your wp_config.php after the line require_once(ABSPATH . 'wp-settings.php'); if you want to disable XML-RPC for your site. Surely a better solution is to create a small plugin.

WordPress also contained the lesser known "Atom publishing" protocol. This service will be removed in version 3.5 since it has much less functions than the XML-RPC implementation and has (according to Nacin) “never received much love from developers” (#21866). Any attempt to call the AtomPub service will be answered with a 403 error. Plugins that are extending the class wp_atom_server will receive a warning that the class is deprecated.
If you still want to use the AtomPub protocol you can install a plugin.

Comments are closed.

5 comments

  1. chrismccoy

    thank goodness ;) i hate always having to click the checkbox and save each time I setup a wp install since I do a lot of xmlrpc stuff.

  2. Phil Erb

    For many people, it probably makes sense to have XML-RPC turned on by default - especially with the proliferation of mobile and third-party desktop apps that use it to communicate with WordPress. However, there are sites where it certainly makes sense to leave it off and common security guidance would say that the smaller your possible attack surface, the better.

    To make it quick and easy to disable (and then re-enable, if necessary) XML-RPC, I created a plugin that users can activate (disabling XML-RPC) or deactivate (enabling XML-RPC) when the case calls for it.

    "Disable XML-RPC" is available on the WordPress Plugins Repository at http://wordpress.org/extend/plugins/disable-xml-rpc/.

  3. Joe Casabona

    Thanks for this!

    If you don't want to do it yourself, there is a simple plugin that will do it for you: http://wordpress.org/extend/plugins/disable-xml-rpc/

  4. Cancer Treatment

    Hi Wpengineer,
    Thanks for the above, Web Service Application Programming Interface (API) is an interface implemented by a software program to enable interaction with other software, similar to the way a user interface facilitates interaction between humans and computers.
    BTW great blogpost

  5. Tod Deskin

    The XML-RPC API in WordPress is very extensible (as your post illustrates), plugins are offered rather a variety of freedoms. One thing that needs to be double checked when doing this is to ensure you're properly escaping information.