I mentioned previously that the XML-RPC and Atom blog APIs would be disabled by default when WordPress 2.6 is released. This was a matter of some debate within the community, and there has been some clarification:
- The APIs will not be automatically disabled for sites upgrading from older versions. Since the APIs have previously been ‘on’ by default, they will continue to function.
For new installs of WordPress 2.6 and later, there will be an option presented at install-time to enable the APIs.
- There will be options in the
Writesettings to enable or disable XML-RPC posting and Atom API posting individually.
This sounds like the most reasonable path to make this change without causing disruption for those who have been using client tools like Ecto, MarsEdit, or Windows Live Writer (or third-party web services which can post to blogs, like Flickr or Delicious) to post to their blogs.
Also, though this change is being made under the moniker of a security improvement, that is not to imply that the current API code is not secure. It is simply a pretty standard practice to turn off services that are not used, just as when building a dedicated email server, you wouldn’t turn on FTP unless you absolutely needed it. Stats from WordPress.com have shown that only about 5% of its users utilize the client APIs, so it doesn’t make sense to automatically turn it on for the 95% who aren’t using them.