XML-RPC is a protocol that allows third-party applications like Windows Live Writer and Ecto to post to a system supporting it. In this case, WordPress is the application that supports XML-RPC, but the WordPress development team has decided that they will disable XML-RPC by default starting with WordPress 2.6.
Daniel Jalkut, founder of Red Sweater Software, LLC., believes that it might help with reducing security risks, but it might have adverse effects for those who use applications that depend on XML-RPC:
But in my opinion, there are also good arguments to be made for rejecting the change as a damaging and misguided solution.
First, and obviously near to my heart, is the fact that this marginalizes remote clients. For users who would find value in a remote client, this decision will put one more roadblock in their way. Historically, the remote editor interface is already compromised such that remote editors do not have access to all the same functionality as the web interface. With this change in place, things get even worse. While a screen-scraping application will easily log in and authenticate a fragile WordPress session via the web interface, the well-behaved API clients will be refused access by default. All in the name of improving security.
Second, and probably most important, is that this is not a fundamental security improvement.
As a user who personally likes to make use of the XML-RPC system, I must say that I am disappointed with this decision. I am not exactly sure of the security implications, but I do agree that the system should be fixed, not simply disabled by default.
Daniel also brought up made an excellent point about the security of WordPress:
Also worth considering: if a service is disabled by default for security considerations, what message does that send to people who choose to, or who are encouraged to turn the service back on? It sets up a perception of insecurity which may not even be warranted. If the remote publishing interfaces are insecure, they should be fixed, not merely disabled!
Well, all that reflects my thoughts exactly.
Daniel does benefit from having the XML-RPC system enabled—he is the founder of the company that develops MarsEdit. It is in his company’s best interest for this feature to be enabled by default. So, there is a conflict of interest, but even though there is a conflict, I believe his points to be valid and his words to be truthful.
Of course, you could always just enable the XML-RPC option. It is fine for those who run their own blog, but in other instances, it could cause some serious issues and confusion.
What do you think about all this? Many of you who use desktop, browser, or any other third-party application to post content to WordPress will be affected. Voice your opinion!