[wp-hackers] Is disabling remote client access a good idea?
Daniel Jalkut
jalkut at red-sweater.com
Wed Jun 25 03:52:31 GMT 2008
It's been interesting to see how the general vibe on this list has
been more supportive of the limitation, while the comments on my blog
are in both directions but I think with a bit of lean against the
limitation.
A common argument in favor of the limitation is that it "shuts down
another vector" that may be a security risk. I think what Jens Alfke
said in my blog comments is very pertinent here:
"Some people seem to think there’s something special about XML-RPC
that makes it inherently less secure. Not so — It’s just an HTTP POST,
just like any other change made via the web UI."
When you consider the number of distinct HTTP POST access points into
a typical WordPress blog, all secured by a cookie-type authentication,
it makes the SINGLE POINT access via the xmlrpc.php URL seem rather
easy to manage and to secure, by comparison.
Daniel
On Jun 24, 2008, at 11:26 PM, Eric Marden wrote:
>> It's common to disable services that you don't use.
>
> Dan, you are completely right.
>
> Security is about minimizing exposure, not the ability to survive an
> attack.
>
> -e
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list