[wp-xmlrpc] XMLRPC Security

Joseph Scott joseph at josephscott.org
Mon May 24 16:19:11 UTC 2010

On Mon, May 24, 2010 at 2:19 AM, Luke Mackenzie <luke at lukem.co.uk> wrote:
> I've got a couple of questions regarding locking down XMLRPC access to Wordpress (2.9.2 MU)
> Is the best way to do this by IP address in the .htaccess file / web server config?

There's nothing in the WP XML-RPC code to limit to a single IP, so
doing this as the web server level is likely your best bet.

> Is it possible to only allow one user access to the XMLRPC endpoint?

A WordPress plugin could look at XML-RPC authentication requests and
only approve a specific user.

> Should / can the XMLRPC traffic be encrypted? I'm concerned that the user/pass are plain text in the POST operation. However, this may not be a problem if we lock access down by IP.

Yes, SSL is always recommended when ever possible.  There's nothing in
XML-RPC that requires it to be done in the clear.

Joseph Scott
joseph at josephscott.org

More information about the wp-xmlrpc mailing list