The XML-RPC service was disabled by default for a long time because it was considered a security hole (e.g. comment and trackback spam). This setting will change with version 3.5.
“Quite a bit has changed since we introduced off-by-default for XML-RPC. Their code has improved, and it is no longer considered a second-class citizen when it comes to API development, thanks to the work of a large team of awesome contributors. Security is no greater a concern than the rest of core.
There is no longer a compelling reason to disable this by default. It’s time we should remove the option entirely.”
(Andrew Nacin, Ticket #21509)
If you’re updating your installation to v3.5 the option
enable_xmlrpc will be removed from the database meaning that the service will be enabled even if you had disabled it in the settings. The (now marked as deprecated) filters
option_enable_xmlrpc will still be respected.
Nevertheless it’s still possible to disable the service though it’s a bit more difficult. WordPress v3.5 introduces the filter
You can add this code to your
wp_config.php after the line
require_once(ABSPATH . 'wp-settings.php'); if you want to disable XML-RPC for your site. Surely a better solution is to create a small plugin.
WordPress also contained the lesser known “Atom publishing” protocol. This service will be removed in version 3.5 since it has much less functions than the XML-RPC implementation and has (according to Nacin) “never received much love from developers” (#21866). Any attempt to call the AtomPub service will be answered with a 403 error. Plugins that are extending the class
wp_atom_server will receive a warning that the class is deprecated.
If you still want to use the AtomPub protocol you can install a plugin.