Herself's Webtools

One of the more fun things to do with your blog is to post to it remotely from Flickr, your cell phone, email etc. I remote post to my personal blog, the rest I sit at a computer and log in to to write posts.

If you only write posts while logged onto WordPress you don’t need xmlrpc.php. This file is included only for remote publishing. When I installed WordPress 2.7 I turned off trackbacks and xmlrpc in my settings.

Despite turning it off the non-technical sites got slammed with trackback spam and comment postings from non users. Akismet caught all of it but I’d rather not have it even hitting Akismet.

If you do not do remote publishing on your blog I strongly recommend deleting the xmlprc.php file. Many of the WordPress security updates have come from problems with this file and assuming you haven’t done anything too creative with your WordPress install it’s your weakest link in security.

If you post to your blog from Flickr, email, Google Docs or similar clients you’ll need to leave in xmlrpc.php as they need it as an interface to talk to your blog.

If you allow trackbacks on your blog you need to leave the trackback.php file in your WordPress install. If like me, you don’t allow trackbacks, go ahead and delete trackback.php. For me the spam to legit trackback ratio is just too high to be worth the trouble.

I don’t know why turning both of these off in 2.7 doesn’t work, perhaps a future patch will correct it?

More information:
How to combat WordPress trackback spam
Guide to reducing WordPress Trackback spam and comments
XML-RPC at SourceForge
XML-RPC WordPress Codex
Weblog Client (lists clients that require xmlrpc on WordPress )
XML-RPC Changes in WordPress 2.7
XML Rewriting Attacks: Existing Solutions and their Limitations