XML-RPC Enabled by Default in WordPress 3.5

XML-RPC will be enabled by default in WordPress 3.5, but I personally think that’s a bad idea from a security perspective. A fellow Seattle WP developer, Ben Lobaugh, explains why on the Trac ticket..

Luckily, it’s easy to disable it. Just add this to a plugin:

add_filter( 'xmlrpc_enabled', '__return_false' );

I’ve added that to my security checklist for new installations, and updated my installation skeleton to include it. I’d recommend doing the same if you don’t plan on using it and are concerned about security.

2 thoughts on “XML-RPC Enabled by Default in WordPress 3.5

  1. Thanks for catching that, Ian. I hadn’t noticed that change until now. I can see the logic, but I wish they left the setting around. If I add this to my standard functionality plugin, I’ll have to start remembering to tell clients in case they want to use the mobile app.

  2. Yeah, I can see why they wanted to do it, with the increasing popularity of the mobile apps, and the whole “decisions, not options” philosophy, but to me it just doesn’t seem like the benefits outweigh the downsides.

    It’s not a big deal, of course; I don’t think we’re going to start seeing any major attacks from it or anything, but for clients who want/need tight security, turning it off is definitely a good (and easy) thing to do.

Leave a Reply

Your email address will not be published. Required fields are marked *