I mentioned previously that the XML-RPC and Atom blog APIs would be disabled by default when WordPress 2.6 is released. This was a matter of some debate within the community, and there has been some clarification:
- The APIs will not be automatically disabled for sites upgrading from older versions. Since the APIs have previously been ‘on’ by default, they will continue to function.
For new installs of WordPress 2.6 and later, there will be an option presented at install-time to enable the APIs.Or not. They seem to have removed that between Beta 1 and Beta 2.- There will be options in the
Writesettings to enable or disable XML-RPC posting and Atom API posting individually.
This sounds like the most reasonable path to make this change without causing disruption for those who have been using client tools like Ecto, MarsEdit, or Windows Live Writer (or third-party web services which can post to blogs, like Flickr or Delicious) to post to their blogs.
Also, though this change is being made under the moniker of a security improvement, that is not to imply that the current API code is not secure. It is simply a pretty standard practice to turn off services that are not used, just as when building a dedicated email server, you wouldn’t turn on FTP unless you absolutely needed it. Stats from WordPress.com have shown that only about 5% of its users utilize the client APIs, so it doesn’t make sense to automatically turn it on for the 95% who aren’t using them.
Related posts:
- WordPress 2.6 Beta 1
"Last night Ryan Boren announced the release of WordPress 2.6 Beta 1. At first glance, you probably wouldn’t notice much difference between versions 2.5 and..." - del.icio.us daily blog post fixer plugin
" I mentioned previously that I wanted to make a WordPress plugin that would touch up the posts created by the del.icio.us “daily blog post”..." - Google Blog Search
" I may be a little late coming to this party, but Google has introduced Google Blog Search, which limits searches to just blogs (well,..." - Map Service APIs
" Both Google and Yahoo! have announced APIs for their mapping services. I’ve already gotten a developer key for the Google service. But it doesn’t..." - WordPress 2.6.1-beta1
"I’m surprised that I haven’t seen mention of this from other channels yet (official or unofficial), but two days ago, SVN revision 8561 of the..."
19 Comments
I agree with this one, thanks for pointing this out and emphasizing that upgrades won’t disable that function.
It cleared out a lot of things, many people might have thought that the API code is not secure, that’s why it’ll be turned off by default for new installs. XD
One correction: new installs of WordPress will not have a check box to enable XML-RPC & AtomPub.
http://trac.wordpress.org/ticket/7157#comment:18
So it’ll only be on the regular settings pages, not an additional setup step? That’s probably a better way to do it.
@Kelson -
Correct, the only spot to enable it is under Settings -> Writing.
Woohoo! That makes fantastic sense. I was really wondering what the WP guys were drinking over there on the first notice.
Seems to me that enabling OAuth by default would solve this problem long term… moving to delegated authorization and away from giving away your username/password all over the place is the way forward. Too bad Automattic isn’t seizing the opportunity to bake in support in 2.6 and beyond. Maybe by 3.0?
@factoryjoe -
OAuth was exactly what I brought up on the wp-xmlrpc email list (http://lists.automattic.com/mailman/listinfo/wp-xmlrpc):
http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/thread.html#208
The response was mixed.
>>Stats from WordPress.com have shown that only about 5% of its users utilize the client APIs
And WP 2.6 is going to make this number even smaller
Considering how easy it is to implement OAuth in WordPress (I have a plugin that does just that), I’m not sure why it is being so easily dismissed on the mailing list (having read the thread). WordPress blogs live on the web, for goodness’ sake! Web authz can apply.
I’m glad to hear it won’t effect upgraded installations. Not that it’s a big deal, but it would be the perfect trigger for a “WTF &%^$$ is wrong with Windows Live Writer” kind of episode.
Jonathan: I think I recall seeing something that indicated that if API publishing was turned off, it would still return a friendly error message to clients, indicating that fact.
Correct, if XML-RPC/AtomPub is disabled you’ll get an error message that looks like:
XML-RPC services are disabled on this blog. An admin user can enable them at %s
Where the %s is replaced with the Settings -> Writing wp-admin URL.
http://trac.wordpress.org/browser/trunk/xmlrpc.php#L192
Joseph: That’s great! This error message and the URL makes perfect sense.
I’ve just updated the latest version from SVN and it works.
The latest wordpress has been great, all of our blogging software works with it no problems. We use a combination of MarsEdit and PlutoEdit, which is a freely available HTML/PHP interface that you can integrate with your own CMS. It does not require a database, but you can configure it to manage multiple blogs.
http://raven-seo-tools.com/pluto-edit/
And WP 2.6 is going to make this number even smaller
I notice that today,maybe it is much more secure,but I still like use windows live writer to publish posts.I think someone will agree with me
????….?????? ?????, ?? ?? ??? ????^^ ???? ???? ?? ?? ????????? ????????))) ???? ? ???^_^
“????? ???????, ?? ?????? ??????, ?? ???? ??????”
API is a gift for wordpress. Can’t imagine wordpress without API. Its great future of wordpress blogging platform.
11 Trackbacks
[...] With WordPress 2.6, in new installations, the access to XML-RPC will be unavailable by default. This in short means that every user will have to go and manually enable XML-RPC to allow external applications to post to your blog. Dougal wrote a post about this recently. From his post on the APIs: [...]
[...] ?????????????? post on the APIs???????????? [...]
[...] With WordPress 2.6, in new installations, the access to XML-RPC will be unavailable by default. This in short means that every user will have to go and manually enable XML-RPC to allow external applications to post to your blog. Dougal wrote a post about this recently. From his post on the APIs: [...]
[...] ???????????????Dougal ?????????????? post on the APIs???????????? [...]
[...] Version einsetzen, müssen sich darum nicht kümmern: Der externze Zugriff wird beim Update nicht deaktiviert! Artikelzusatzinfos 1. Tags: wordpress 2. weitere Artikel [...]
[...] Dougal Campbell – Update on WordPress blog APIs covers the issues around changes to the XML-RPC and Atom blog APIs being disabled by default in WordPress 2.6. [...]
[...] With WordPress 2.6, in new installations, the access to XML-RPC will be unavailable by default. This in short means that every user will have to go and manually enable XML-RPC to allow external applications to post to your blog. Dougal wrote a post about this recently. From his post on the APIs: [...]
[...] Update on WordPress Blog APIs [...]
[...] With WordPress 2.6, in new installations, the access to XML-RPC will be unavailable by default. This in short means that every user will have to go and manually enable XML-RPC to allow external applications to post to your blog. Dougal wrote a post about this recently. From his post on the APIs: [...]
[...] ??????Wopus??????????Wordpress2.6???????????Wordpress?????????????WordPRess 2.6 Beta 1?Beta 2?Beta 3???????RC??????????????Wordpress????????Dougal????????Wordpress2.6????????XML-RPC?Atom blog APIs??????? [...]
[...] With WordPress 2.6, in new installations, the access to XML-RPC will be unavailable by default. This in short means that every user will have to go and manually enable XML-RPC to allow external applications to post to your blog. Dougal wrote a post about this recently. From his post on the APIs: [...]