Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Update on WordPress blog APIs

I mentioned previously that th' XML-RPC and Atom blog APIs would be disabled by default when WordPress 2.6 is released. This were bein' a matter o' some debate within th' community, and there has been some clarification:

  • The APIs will not be automatically disabled fer sites upgradin' from older versions. And hoist the mainsail, by Davy Jones' locker! Since th' APIs have previously been ‘on’ by default, they will continue t' function.
  • For new installs o' WordPress 2.6 and later, there will be an option presented at install-time t' enable th' APIs. Or not. Fire the cannons! They seem t' have removed that betwixt Beta 1 and Beta 2.
  • There will be options in th' Write settin's t' enable or disable XML-RPC postin' and Atom API postin' individually.

This sounds like th' most reasonable path t' make this change without causin' disruption fer those who have been usin' client tools like Ecto, MarsEdit, or Windows Live Writer (or third-party web services which can post t' blogs, like Flickr or Delicious) t' post t' their blogs.

Also, though this change is bein' made under th' moniker o' a security improvement, that is not t' imply that th' current API code is not secure. It is simply a pretty standard practice t' turn off services that are not used, just as when buildin' a dedicated email server, ye wouldn’t turn on FTP unless ye absolutely needed it. Stats from have shown that only about 5% o' its users utilize th' client APIs, so it doesn’t make sense t' automatically turn it on fer th' 95% who aren’t usin' them.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Announcements, Atom, Blogging, Community, WordPress and tagged , , , , , , , , , , , . Bookmark the permalink.

30 Responses to Update on WordPress blog APIs

  1. Kevin Paquet says:

    I agree with this one, thanks fer pointin' this out and emphasizin' that upgrades won’t disable that function, and a bucket o' chum.

    It cleared out a lot o' thin's, many people might have thought that th' API code is not secure, that’s why it’ll be turned off by default fer new installs, pass the grog! XD

  2. Joseph Scott says:

    One correction: new installs o' WordPress will not have a check box t' enable XML-RPC & AtomPub.

  3. Kelson says:

    So it’ll only be on th' regular settin's pages, not an additional setup step? That’s probably a better way t' do it.

  4. Joseph Scott says:

    @Kelson –

    Correct, th' only spot t' enable it is under Settin's -> Writin'.

  5. Douglas Karr says:

    Woohoo! That makes fantastic sense. I were bein' really wonderin' what th' WP guys were drinkin' o'er there on th' first notice.

  6. Pingback: Weblog Tools Collection » Blog Archive » What You Need To Know About WordPress 2.6

  7. factoryjoe says:

    Seems t' me that enablin' OAuth by default would solve this problem long term… movin' t' delegated authorization and away from givin' away yer username/password all o'er th' place is th' way forward. Too bad Automattic isn’t seizin' th' opportunity t' bake in support in 2.6 and beyond. Maybe by 3.0?

  8. Joseph Scott says:

    @factoryjoe –

    OAuth were bein' exactly what I brought up on th' wp-xmlrpc email list (

    The response were bein' mixed.

  9. Pingback: ??????? WordPress 2.6 - ????,????

  10. Denis says:

    >>Stats from have shown that only about 5% o' its users utilize th' client APIs

    And WP 2.6 is goin' t' make this number even smaller ;-)

  11. Pingback: What You Need To Know About WordPress 2.6 | Sifarat - Pakistan News Blog

  12. Considerin' how easy it is t' implement OAuth in WordPress (I have a plugin that does just that), I’m not sure why it is bein' so easily dismissed on th' mailin' list (havin' read th' thread). WordPress blogs live on th' web, fer goodness’ sake, we'll keel-haul ye! Web authz can apply.

  13. Jonathan says:

    I’m glad t' hear it won’t effect upgraded installations. Not that it’s a big deal, but it would be th' perfect trigger fer a “WTF &%^$$ is wrong with Windows Live Writer” kind o' episode.

  14. Dougal says:

    Jonathan: I think I recall seein' somethin' that indicated that if API publishin' were bein' turned off, it would still return a friendly error message t' clients, indicatin' that fact.

  15. Joseph Scott says:

    Correct, if XML-RPC/AtomPub is disabled ye’ll get an error message that looks like:

    XML-RPC services are disabled on this blog, I'll warrant ye. An admin user can enable them at %s

    Where th' %s is replaced with th' Settin's -> Writin' wp-admin URL.

  16. Denis says:

    Joseph: That’s great! This error message and th' URL makes perfect sense, by Blackbeard's sword.

    I’ve just updated th' latest version from SVN and it works.

  17. Pingback: ??? » Blog Archive » ??????? WordPress 2.6

  18. Pingback: Basic Thinking Blog | Wordpress 2.6 (über)nächste Woche live

  19. Pingback: WordPress Wednesday News: WordCamps in Australia and Hawaii, Security Check Plugin, Google Gears, Lots of Plugin News and Tips, WordPress 2.6 News, and If Not WordPress, What? : The Blog Herald

  20. Pingback: Memorize » XML-RPC access now requires Admin Permission

  21. Pingback: WordPress 2.6: Launching Tonight

  22. Pingback: What You Need To Know About WordPress 2.6 | Wordpress Blog NL Hosting

  23. The latest wordpress has been great, all o' our bloggin' software works with it no problems. We use a combination o' MarsEdit and PlutoEdit, which is a freely available HTML/PHP interface that ye can integrate with yer own CMS. It does not require a database, but ye can configure it t' manage multiple blogs.

  24. itsuport says:

    And WP 2.6 is goin' t' make this number even smaller ;-)

  25. Clarky says:

    I notice that today,maybe it is much more secure,but I still like use windows live writer t' publish posts.I think someone will agree with me :)

  26. Pingback: ?????» Blog Archive » Wordpress2.6??????XML-RPC??

  27. Andrej says:

    ????….?????? ?????, ?? ?, I'll warrant ye? ??? ????^^ ???, I'll warrant ye? ???? And hoist the mainsail! ?, by Davy Jones' locker? ?? Yaaarrrrr! ????????? ????????))) ???? ? Walk the plank! ???^_^

  28. Mikey Fritz says:

    “????? ???????, ?? ?????, ye scurvey dog? ??????, ?? Shiver me timbers! ???? ??????”

  29. Pingback: Magazzino » Changes in Wordpress 2.6

  30. Vamban says:

    API is a gift fer wordpress. Can’t imagine wordpress without API. Its great future o' wordpress bloggin' platform.

Leave a Reply

%d bloggers like this: