WordPress 2.6 will have API disabled by default
June 24, 2008 by Dmitry
Sadly, blogging APIs have never been the first-class citizens in blog engines. Sure, most people just use web interfaces to post to their blogs, but there are a lot of people who prefer desktop applications like BlogJet.
WordPress 2.6 is going to join Movable Type in discriminating against blog clients—they are going to disable XML-RPC APIs by default. Users will have to enable them manually. (Movable Type requires you to use special API key instead of your password.)
Daniel Jalkut, developer of MarsEdit, the excellent blog client for Mac OS X, has a good post on this in his blog:
In my opinion, an entire class of problems with WordPress (and other blogging systems) stems from this interface bifurcation. Establishing a single interface to WordPress would be comparable to the “pin code + card” interface at your bank. You pass through it by car, on foot, and even at the counter when they ask you to swipe before doing any transaction. If you’ve only got one “real API” that touches the critically important data, then you’ve only got one door to secure. Furthermore, when all views into the blog are required to share the same API, suddenly none of them is deprived of functionality that the other has. Imagine if the API that the web interface uses to access all features of a blog could be just as easily employed by MarsEdit or any other application you authorized. The end result would be lots less work “playing catch up” for the XMLRPC and Atom developers, and more time focusing on innovative and cool features for all blog users.
Read it now and come back.
Did I mention that most blogging clients (except for one) are made by tiny software companies, and that they spend a huge amount of time answering to support emails from their users who have various problems configuring their server software?
We do our best to make our software as easy to configure and use as possible: just enter your blog address, login, and password, and let the program do configuration as needed. Disabling API by default will throw this work away; it’s a way to increase the number of support requests, therefore, the amount of time we spend on support rather than perfecting our software.
Time to move on and develop other types of software? Or make our own blog engines? ;)
P.S. I have nothing against WordPress developers; actually they have one of the best implementations of the API, and I want to thank them for their work. However, I do not understand how disabling API will increase WordPress security.
Update: WordPress developers handled this issue with care: WP provides a meaningful error message and instructions on how to enable API. Thanks again, guys!
Liked this post? Subscribe to RSS feed (or by email) and get more.
George Carlin R.I.P.
Or all the independent blog client authors could have come together and collectively implemented a secure way to authenticate metaWeblog using OAuth or otherwise, and then play it back to the blog engine makers, in the spirit of: “look we did our job now you do yours”. Seriously, let’s count: Zempt, Ecto, Marsedit, Blogjet, and a couple of Linux ones. That aint’ that much and you are not megacorps whoh have communication problems or anything.
Seriously, what options do I have now to secure my RPC install from the simplest eavesdropping? HTTP authentication? Well if digest authentication worked, maybe (but it doesn’t). And the blog clients need to maintain two separate password screens, and I can’t imagine what it is to explain the difference between “Blog password” and “HTTP password” to the user, and why you need both. And what options are left over? Except SSL, for which a blog user needs to go out shopping for IP addresses or use a preinstalled system which already is SSL-enabled? (none of the “big players” like Typepad and LJ, AFAIK, are SSL at this point).
So in a way, I think the client authors are also responsible for both this and the “API key” in MovableType, even though Daniel does not mention it. The bliog API is stagnating pretty much the way Blogger and Dave Winer defined it, except for a few MT and WP-specific additions. If you build business around a specific technology, you might as well go and expand it as own initiative.
OK, now you have confused me. Are you saying that BlogJet 2 will not work with wordpress 2.6? Or are you saying it will work if the API is manually enabled? Or are you saying something else? - because your blog rambling is not very clear.
Ranson, sorry for being not very clear — BlogJet works well with WordPress 2.6 and 2.7, you just have to enable XML-RPC API in WordPress Settings (and only if it’s a new installation).