[wp-hackers] Is disabling remote client access a good idea?

[zamoose at gmail.com]

On 6/24/08, Daniel Jalkut <jalkut at red-sweater.com> wrote:
>
> It recently came to my attention that WordPress is planning to disable
> the XMLRPC and AtomPub based interfaces by default in 2.6.
>
> This decision rubs me the wrong way, and I want to start a dialog here
> to see if others agree (or disagree for that matter!).

Daniel:
You would be in a far better position to answer the market segment
size question than I, but to me this seems to be a simple question of
audience sizes.

WordPress is an Open Source project and thus, like it or not, the
stuff that gets worked on is the stuff that people /want/ to work on.
Most (decent) XMLRPC clients (like MarsEdit) seem to be on the for-pay
side of the spectrum, which conceptually limits their market share to
those willing to pay for software, thus also limiting the number of
folks able to test any implementation of XMLRPC.

The simple fact of the matter is that the vast majority of WP users
are going to be using the web front end and simply can't be bothered
with the extra care and feeding a remote client requires.  Add the
Gears functionality that is coming and you've even further
down-selected the sample size.  I am willing to bet, though, if you
decided to go the NewsFire/NetNewsWire route and dropped a free (as in
beer) version of MarsEdit tomorrow, you'd see a lot more interest in a
robust implementation of remote access. (We'll leave aside the Leo
Laporte "What's worth money?" question for the time being.)

I agree with Dan Coulter's assessment as well -- if you're not using
the XMLRPC interface, it's probably a great idea to disable it as a
potential point of entry, just as one ought to lock down one's
wp-content/.

-- 
-Doug
http://literalbarrage.org/blog/