[wp-hackers] Is disabling remote client access a good idea?

Alan J Castonguay alan at verselogic.net
Mon Jul 7 18:14:38 GMT 2008

Don't want to re-open the debate about whether APP should be disabled  
by default. But if the APP /is/ disabled per enable_xmlrpc, we should  
fix the warning/error message.

$allow passed to not_allowed() to generate Status 405 "Method Not  
Allowed" is expected to be an array, and joined into a comma- 
separated list of allowed values. If we're going to use not_allowed()  
to output this warning in the Allow: header, the content should be a  
single-element array rather than a string.

However, it may be better to use HTTP Status 403 instead, since  
Status 405 "MUST include an Allow header containing a list of valid  
methods for the requested resource", not an arbitrary user-oriented  
string. With Status 403, WordPress "SHOULD describe the reason for  
the refusal in the entity" body, not through the Accept: header.


More information about the wp-hackers mailing list