[wp-hackers] Is disabling remote client access a good idea?

Daniel Jalkut jalkut at red-sweater.com
Wed Jun 25 04:32:27 GMT 2008


On Jun 25, 2008, at 12:19 AM, Dan Coulter wrote:

> Most (possibly all) of POST calls on the admin side are also secured  
> with a
> nonce.

Every XMLRPC interface is secured with a user name and password. At  
least as much as would be required to obtain a "nonce" via the web  
interface, right?

The bottom line is that users are getting into their blogs via the  
web. Using GETS and POSTS, and providing passwords when needed.

It does seem a bit arbitrary to me, to call out these two URLs, the  
ones corresponding to AtomPub and XMLRPC, and treating them as if  
they're in some way more vulnerable to attacks than all the other URLS  
in the blog system.

Daniel



More information about the wp-hackers mailing list