Daniel Jalkut Bashes WordPress 2.6 XMLRPC Decision

Filed as Features on June 25, 2008 8:02 am

Daniel Jalkut is the creator current developer and owner of Mac blog application MarsEdit (a great one, by the way), so it should come as no surprise that he’s a bit pissed about the fact that XMLRPC will be disabled by default in WordPress 2.6. For those who doesn’t know, XMLRPC is the way outside applications can communicate with WordPress.

Naturally, disabling XMLRPC in WordPress 2.6 isn’t done in a swipe at outside applications, there is a reason of course.

Peter Westwood, aka Westi, explains:

We have choosen to disable Atom Publishing Protocol and the variety of XML-RPC protocols by default as they expose a potential to be a security risk. So from WordPress 2.6 onwards you will need to go into the Settings->Write page and enable them individually if you want to use them.

I’m a bit surprised by the hurrah’s in the comments to Peter’s post. Sure, security issues is something everyone want addressed, but obviously this will leave a lot of users stranded and frustrated as to why their desktop blogging application of choice suddenly won’t be able to authenticate with their newly upgraded WordPress blog. Or will perhaps XMLRPC be turned on per default if you’re doing an upgrade?

Daniel Jalkut’s post is worth a read, and it is not just bashing but also pointers for a different solution to this problem. This, however, is key for the whole XMLRPC decision, and why I personally believe that it is a bad one:

Also worth considering: if a service is disabled by default for security considerations, what message does that send to people who choose to, or who are encouraged to turn the service back on? It sets up a perception of insecurity which may not even be warranted. If the remote publishing interfaces are insecure, they should be fixed, not merely disabled!

If XMLRPC is such a security issue right now, then by all means disable it by default, and tell the users that they need to enable it. And by telling the users I mean flash it in their face, because a lot of people won’t understand that they need to turn it on, not all users are sure what they’re doing. But in the long run, I completely agree with Daniel’s statement above. Disabling isn’t a solution, fixing it is.


This post was written by

You can visit the for a short bio, more posts, and other information about the author.

Submissions & Subscriptions

Submit the post to Reddit, StumbleUpon, Digg or Del.icio.us.

Did you like it? Then subscribe to our RSS feed!

  1. By Matt Craven posted on June 25, 2008 at 12:17 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    MarsEdit was created by Brent Simmons, who also created NetNewsWire and later sold that software to Newsgator, where he now works.

    Daniel took over development of MarsEdit when it was divested by Simmons & Newsgator.


  2. By Michael posted on June 25, 2008 at 3:13 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    I agree with him, it doesn’t make sense that WordPress would do this. I love all the features that are going to be added to WordPress 2.6 but I wish that they would just take 6-10 months to clear all the bugs out of the software. Nothing that they are adding is really needed, bug fixes are needed, new features aren’t, especially when those new features upset some of the more outspoken members of the WordPerss community.


  3. By Movie Goers posted on June 27, 2008 at 7:53 am
    Want an avatar? Get a gravatar! • You can link to this comment

    very surprising thought, well, bug fixes are needed for this


  4. By Brian Carnell posted on July 1, 2008 at 10:02 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    Actually, Michael, it makes perfect sense. I don’t use MarsEdit or any other blogging app. Why should WordPress go ahead and turn on XMLRPC by default even if it is secure? It’s not a service I’m using, it shouldn’t be turned on by default. This is just like the way MS ships Windows with all sorts of services running whereas with Linux and Apple, you start out with the minimal configuration needed and then the user is responsible for enabling additional services.


    Your words are your own, so be nice and helpful if you can. If this is the first time you're posting a comment, it might go into moderation. Don't worry, it's not lost, so there's no need to repost it! We accept clean XHTML in comments, but don't overdo it please.