Make WordPress Core

Opened 13 years ago

Closed 9 years ago

#18731 closed enhancement (fixed)

The XML-RPC Endpoint filename is hardcoded in the code (aka: my Host Blocks XML-RPC Access!)

Reported by: daniloercoli's profile daniloercoli Owned by:
Milestone: 3.5 Priority: normal
Severity: normal Version: 3.2
Component: XML-RPC Keywords: westi-likes has-patch needs-refresh dev-feedback
Focuses: Cc:


It's impossible to rename the file 'xmlrpc.php' to something different (for eg when your hosting provider blocks the access to the xmlrpc.php file) since the prefix "xmlrpc.php" is hardcoded within the src code. You can rename the file but the XML-RPC call wp.getUsersBlog always returns the hardcoded URL.

Same issue for the pingback link and the EditURI link.

We pubblished a plugin that should help users for the time being:

Change History (20)

#1 follow-up: @westi
13 years ago

  • Keywords westi-likes added
  • Milestone changed from Awaiting Review to Future Release
  • Priority changed from normal to high
  • Severity changed from normal to major
  • Version set to 3.2

I think we should maybe come up with an alternative endpoint name for WordPress in general.

Maybe we could support and as endpoints in core for the rewrite less and rewrite full usecases.

It seems to be common unfortunately for hosts to block the filename xmlrpc.php

#2 in reply to: ↑ 1 @daniloercoli
13 years ago

Maybe we could support and as endpoints in core for the rewrite less and rewrite full usecases.

This would be fine, but probably we should also support and as RSD endpoints in core.

#3 @josephscott
13 years ago

  • Cc josephscott added

If we are going to do this we should probably look at filtering all of the 'xmlrpc.php' values. Perhaps an 'xmlrpc_file_name' filter?

#4 @nacin
13 years ago

We'll probably want to introduce get_xmlrpc_url( $type = '' ), where 'type' can become 'rsd'.

Last edited 13 years ago by nacin (previous) (diff)

#5 @markoheijnen
13 years ago

  • Cc marko@… added

#6 @ericmann
12 years ago

  • Cc eric@… added

#7 @wonderboymusic
12 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.5

Took a stab at this, most of the URLs were obtained using different flavors of site_url().

The only bizarre one was wp_xmlrpc_server::_multisite_getUsersBlogs() which appears to be trying to support a network of many sites which have many blogs. site_url() should work in this scenario as well.

Adds function: get_xmlrpc_url( $type = '' ) which is filtered by 'xmlrpc_url'

#8 @nacin
12 years ago

Actually, I think this can be done a bit easier. There's an rpc "scheme" we pass to site_url() et al, which is used for forcing SSL when SSL login or admin is forced.

We should just always pass 'rpc' as the scheme to site_url(), which essentially means modifying the two instances in class-wp-xmlrpc-server.php. daniloercoli, that should be enough, no?

#9 @markoheijnen
12 years ago

I was even thinking even more difficult then this. I was thinking about moving all the code from xmlrpc.php to somewhere else and make xmlrpc.php to call that code. And then create some kind of endpoint system like /index.php?endpoint=xmlrpc. This way you can even use the rewrite API to have it another name as usual.

Most likely my mind is thinking more difficult but with this we can have added some steps for a RESTFUL or JSON API.

#10 @bpetty
12 years ago

  • Keywords punt added
  • Type changed from defect (bug) to enhancement

Sounds like this feature (not a bug) will likely need to be punted from 3.5 in the interest of further discussion about possible new endpoints.

#11 @markoheijnen
12 years ago

  • Keywords punt removed
  • Milestone changed from 3.5 to Future Release
  • Type changed from enhancement to defect (bug)

This is a bug that does need to be fixed. It can result in an enhancement in a better API for new endpoints.
I did punted for now and hopefully this is something that can be discussed on the summit.

#12 @nacin
12 years ago

  • Type changed from defect (bug) to enhancement

This is not a bug. Allowing the endpoint to be changed is an enhancement.

The "bug" here is that some xmlrpc.php references are missing 'rpc'. I'll be fixing that in 3.5, but the rest of this should be punted.

#13 @nacin
12 years ago

In [22171]:

Reference xmlrpc.php with the 'rpc' site_url() argument to ensure a proper scheme is applied. see #18731.

#14 @wonderboymusic
12 years ago

  • Keywords needs-refresh added

#15 @wonderboymusic
12 years ago

Should 'pingback_url' and the RSD <link> be site_url with rpc scheme as well?

#16 @Zengy
11 years ago

  • Keywords dev-feedback added
  • Severity changed from major to trivial

Pingbacks don't require a login/password or https to work, so I don't think this is a necessary fix.

#17 @DrewAPicture
11 years ago

  • Keywords mobile removed
  • Priority changed from high to normal

#18 @markoheijnen
11 years ago

  • Severity changed from trivial to normal

This has nothing to do with login/password or https.

#20 @wonderboymusic
9 years ago

  • Milestone changed from Future Release to 3.5
  • Resolution set to fixed
  • Status changed from new to closed

This has a commit. For edge cases, use the 'site_url' filter.

Note: See TracTickets for help on using tickets.