Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Update on WordPress blog APIs

I mentioned previously that the XML-RPC and Atom blog APIs would be disabled by default when WordPress 2.6 is released. This was a matter of some debate within the community, and there has been some clarification:

  • The APIs will not be automatically disabled for sites upgrading from older versions. Since the APIs have previously been ‘on’ by default, they will continue to function.
  • For new installs of WordPress 2.6 and later, there will be an option presented at install-time to enable the APIs. Or not. They seem to have removed that between Beta 1 and Beta 2.
  • There will be options in the Write settings to enable or disable XML-RPC posting and Atom API posting individually.

This sounds like the most reasonable path to make this change without causing disruption for those who have been using client tools like Ecto, MarsEdit, or Windows Live Writer (or third-party web services which can post to blogs, like Flickr or Delicious) to post to their blogs.

Also, though this change is being made under the moniker of a security improvement, that is not to imply that the current API code is not secure. It is simply a pretty standard practice to turn off services that are not used, just as when building a dedicated email server, you wouldn’t turn on FTP unless you absolutely needed it. Stats from WordPress.com have shown that only about 5% of its users utilize the client APIs, so it doesn’t make sense to automatically turn it on for the 95% who aren’t using them.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Announcements, Atom, Blogging, Community, WordPress and tagged , , , , , , , , , , , . Bookmark the permalink.

30 Responses to Update on WordPress blog APIs

  1. Kevin Paquet says:

    I agree with this one, thanks for pointing this out and emphasizing that upgrades won’t disable that function.
    It cleared out a lot of things, many people might have thought that the API code is not secure, that’s why it’ll be turned off by default for new installs. XD

  2. Joseph Scott says:

    One correction: new installs of WordPress will not have a check box to enable XML-RPC & AtomPub.

    http://trac.wordpress.org/ticket/7157#comment:18

  3. Kelson says:

    So it’ll only be on the regular settings pages, not an additional setup step? That’s probably a better way to do it.

  4. Joseph Scott says:

    @Kelson –

    Correct, the only spot to enable it is under Settings -> Writing.

  5. Douglas Karr says:

    Woohoo! That makes fantastic sense. I was really wondering what the WP guys were drinking over there on the first notice.

  6. Pingback: Weblog Tools Collection » Blog Archive » What You Need To Know About WordPress 2.6

  7. factoryjoe says:

    Seems to me that enabling OAuth by default would solve this problem long term… moving to delegated authorization and away from giving away your username/password all over the place is the way forward. Too bad Automattic isn’t seizing the opportunity to bake in support in 2.6 and beyond. Maybe by 3.0?

  8. Joseph Scott says:

    @factoryjoe –

    OAuth was exactly what I brought up on the wp-xmlrpc email list (http://lists.automattic.com/mailman/listinfo/wp-xmlrpc):

    http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/thread.html#208

    The response was mixed.

  9. Pingback: ??????? WordPress 2.6 - ????,????

  10. Denis says:

    >>Stats from WordPress.com have shown that only about 5% of its users utilize the client APIs

    And WP 2.6 is going to make this number even smaller ;-)

  11. Pingback: What You Need To Know About WordPress 2.6 | Sifarat - Pakistan News Blog

  12. Considering how easy it is to implement OAuth in WordPress (I have a plugin that does just that), I’m not sure why it is being so easily dismissed on the mailing list (having read the thread). WordPress blogs live on the web, for goodness’ sake! Web authz can apply.

  13. Jonathan says:

    I’m glad to hear it won’t effect upgraded installations. Not that it’s a big deal, but it would be the perfect trigger for a “WTF &%^$$ is wrong with Windows Live Writer” kind of episode.

  14. Dougal says:

    Jonathan: I think I recall seeing something that indicated that if API publishing was turned off, it would still return a friendly error message to clients, indicating that fact.

  15. Joseph Scott says:

    Correct, if XML-RPC/AtomPub is disabled you’ll get an error message that looks like:

    XML-RPC services are disabled on this blog. An admin user can enable them at %s

    Where the %s is replaced with the Settings -> Writing wp-admin URL.

    http://trac.wordpress.org/browser/trunk/xmlrpc.php#L192

  16. Denis says:

    Joseph: That’s great! This error message and the URL makes perfect sense.
    I’ve just updated the latest version from SVN and it works.

  17. Pingback: ??? » Blog Archive » ??????? WordPress 2.6

  18. Pingback: Basic Thinking Blog | Wordpress 2.6 (über)nächste Woche live

  19. Pingback: WordPress Wednesday News: WordCamps in Australia and Hawaii, Security Check Plugin, Google Gears, Lots of Plugin News and Tips, WordPress 2.6 News, and If Not WordPress, What? : The Blog Herald

  20. Pingback: Memorize » XML-RPC access now requires Admin Permission

  21. Pingback: WordPress 2.6: Launching Tonight

  22. Pingback: What You Need To Know About WordPress 2.6 | Wordpress Blog NL Hosting

  23. The latest wordpress has been great, all of our blogging software works with it no problems. We use a combination of MarsEdit and PlutoEdit, which is a freely available HTML/PHP interface that you can integrate with your own CMS. It does not require a database, but you can configure it to manage multiple blogs.

    http://raven-seo-tools.com/pluto-edit/

  24. itsuport says:

    And WP 2.6 is going to make this number even smaller ;-)

  25. Clarky says:

    I notice that today,maybe it is much more secure,but I still like use windows live writer to publish posts.I think someone will agree with me :)

  26. Pingback: ?????» Blog Archive » Wordpress2.6??????XML-RPC??

  27. Andrej says:

    ????….?????? ?????, ?? ?? ??? ????^^ ???? ???? ?? ?? ????????? ????????))) ???? ? ???^_^

  28. Mikey Fritz says:

    “????? ???????, ?? ?????? ??????, ?? ???? ??????”

  29. Pingback: Magazzino » Changes in Wordpress 2.6

  30. Vamban says:

    API is a gift for wordpress. Can’t imagine wordpress without API. Its great future of wordpress blogging platform.

Leave a Reply

%d bloggers like this: