Blog Tipz

WordPress 2.6 is expected to be released in just over a month now, and a recently released beta version of the next version is beginning to leave both bloggers and weblog client creators with questions that need to be answered.

The XML-RPC publishing protocol allows bloggers to use offline blog editors or APIs from other blog systems to publish posts directly to their blog.  By default, this feature is expected to be turned off in the next release of WordPress.  Users will be able to turn it on by entering the “Settings > Writing” area of WordPress and either turn on the XML-RPC or the Atom Publishing Protocol.

Where separation between the parties occurs is why the setting is turned off by default instead of as an option, and why the security isn’t fixed now instead of being ignored or covered up.  If the feature undermines the security of WordPress, allowing for attacks through this feature, shouldn’t it be improved to prevent any possible loopholes?  Previously, this feature was enabled by default and allowed anyone to immediately use a non-WordPress WYSIWYG editor.  

On the Blog Herald blog, the creator of the Mac blog application MarsEdit discusses how this change will impact/affect everyday users of WordPress wanting to publish from their preferred client.  

In the end, if support for XML-RPC is kept as an opt-in feature, essentially stating that “if you enable this, you may compromise your blog’s security”, people may not enable the feature, leaving the blog editor’s software creators out of the scene, without a business.  However, if the security of WordPress is an issue, then it is best to disable the feature, but have one click enabling, rather than having to perform a manual install of the protocol.

Many people may discount this issue, saying that it doesn’t really affect them, but it has found to be a major security flaw and by disabling it, you may find yourself wondering how to enable the feature once WordPress 2.6 rolls out.