Everything about XML-RPC in WordPress
WordPress definitely needs no formal introduction. And, if you are closely following the WordPress development industry, managing blogs and are too into websites, then you already know it inside out.
You would already know that WordPress comes with a whole lot of plugins and APIs that augment its performance.
One such element that is known to boost its performance is XML-RPC. It allows external devices and clients to interact with WordPress.
In this article, we talk more about XML-RPC, its workings, history and what WordPress has got to unveil in the future.
What is XML-RPC?
XML-RPC is a protocol which helps us communicate between heterogeneous devices over a network. In short, RPC is the abbreviated form of Remote Procedure Call which helps you call certain operations available on some remote systems.
So, XML-RPC is nothing more than the use of XML by RPC to encode the function calls for security and thereby to transport the encoded information over HTTP.
XML-RPC in WordPress
WordPress is open source software available over the internet and can be accessed via various devices, including mobiles, desktops, and tablets.
XML-RPC implementation in WordPress helps by providing a standard way to communicate among these devices. Various functionalities that make WordPress such a versatile platform are actually a thoughtful implementation of XML-RPC.
The communication between blog systems and posting via heterogeneous devices are all possible through XML-RPC.
XML-RPC also makes WordPress a very open and extensible platform. Apart from this, XML-RPC supports WordPress by enabling developers to write software that can automate their tasks on WordPress or to perform them remotely.
History of XML-RPC
XML-RPC was implemented by WordPress by including all the logic in the file called xmlrpc.php which is placed in the root directory. This file contains functions for WordPress like inserting and deleting a post.
Since it was huge, great changes have been made and huge functionality was then brought in a single little class called wp_xmlrpc_server.
This class contains 48 WordPress functions, seven Blogger functions, six MetaWeblog functions and eight MovableType functions. Developers could thus easily integrate WordPress just by using this little class.
Performing a dozen tasks, WordPress XML-RPC supports functions, such as:
- – Creating posts and pages.
- – Editing posts and pages.
- – Deleting pages and posts.
- – Creating, editing, and deleting comments.
- – Listing authors and their blog details.
- – Getting recent post.
- – Listing all categories.
XML-RPC in the Future
The development is still continuing and it is expected that the advancements of the WordPress API would see the downfall of XML-RPC.
The major advantage of the WP API over XML-RPC is that the former uses tokens for authentication, which is more secure, while the latter only uses basic usernames and passwords for authentication, which is less secure.
The WP API uses JSON instead of XML to send and receive data. JSON provides added advantages to the custom WordPress development because of its ease of use in server and client-side language which is better than XML which requires some hard coded PHP classes.
WordPress XML-RPC Attacks
Due to its loose security, attacks targeting the security of XML-RPC are not new. Brute force attacks are capable of guessing 100 passwords with just one HTTP request.
Such brute force attacks are cryptanalytic attacks made on encrypted credentials. It does this by exploring all possible passwords and because people use likely and common passwords, such attacks are simple to implement.
Moreover, since XML-RPC only uses usernames and passwords, there is a greater possibility of brute force attacks on it.
Such attacks have been done for ages and are more common over the internet.
You can protect against these attacks by:
- – Blocking people from accessing the xmlrpc.php file.
- – Using web application firewalls, block systems and multi-call requests.
- – Using an ERROR CODE to handle it, for example, the 403 Forbidden error code.
Make XML-RPC Better
- – If the xmlrpc.php file is not needed, delete it. This could reduce the potential for threats.
- – If you do not wish to delete it, just rename it.
- – Update once the xmlrpc.php is deleted or updated.
- – Remove links to the xmlrpc.php file.
- – Disable the remote publish function.
XML-RPC is indeed great and made WordPress development easier. But, we think that it is time to move on to more advanced options. What is your opinion about this?