[wp-hackers] Is disabling remote client access a good idea?

Daniel Jalkut jalkut at red-sweater.com
Wed Jun 25 03:52:31 GMT 2008

It's been interesting to see how the general vibe on this list has  
been more supportive of the limitation, while the comments on my blog  
are in both directions but I think with a bit of lean against the  

A common argument in favor of the limitation is that it "shuts down  
another vector" that may be a security risk.  I think what Jens Alfke  
said in my blog comments is very pertinent here:

"Some people seem to think there’s something special about XML-RPC  
that makes it inherently less secure. Not so — It’s just an HTTP POST,  
just like any other change made via the web UI."

When you consider the number of distinct HTTP POST access points into  
a typical WordPress blog, all secured by a cookie-type authentication,  
it makes the SINGLE POINT access via the xmlrpc.php URL seem rather  
easy to manage and to secure, by comparison.


On Jun 24, 2008, at 11:26 PM, Eric Marden wrote:

>> It's common to disable services that you don't use.
> Dan, you are completely right.
> Security is about minimizing exposure, not the ability to survive an  
> attack.
> -e
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list