Plugin Author
Paul
(@paultgoodchild)
Okay, so there are a number of important things to address in this:
1) “Disable the XML-RPC system” doesn’t mean it will produce 404/403 codes. It doesn’t say that.
What it effectively does is disable normal processing of XML-RPC requests.
It’s not designed to produce 403/404 errors because we don’t delete the xml-rpc file. To see why, see here.
You get a 404 on our site because that is correct – it’s not there. We never install WordPress files in the root. But it’s here: http://icwp.io/8c
(I use a shorturl redirect because after you’ve read this reply I’ll change the redirect to the homepage.)
2)
When I test this on my site i’m getting the message “XML-RPC server accepts POST requests only.” which suggests the XML-RPC system is not completely disabled
Correct insofar as “not completely” because the file still exists. It still existing and it working, are 2 different things. If you can get WordPress XML-RPC working on your site with the Shield setting enabled, I’d really like to hear about it. I can’t get it working at all. We don’t delete the xml-rpc file for reasons outlined in the article linked-to above.
3)
This is the second time i have discovered something which the plugin says it was providing protection against only to find that it wasn’t.
This comment is a little unfair. You’re referring to it not working with a caching plugin.
I’ve seen other discussions you’ve had with other HTTP Header plugin developers and it all points to the same thing – Caching is problematic and easy to get wrong. The plugin at fault there was the caching plugin – it wasn’t caching the headers along with the page content.
The implication in your statement here is that we’re saying Shield does something, when in-fact it doesn’t. That implies we’re being disingenuous, and that’s why I’ve written such a detailed reply. We have never put something out there that we don’t trust ourselves. Sure, bugs happens. All the time. And the support forum here illustrates we’re happy to address those.
But we never knowingly put things out there to mislead.
Thread Starter
Anonymous User 14978628
(@anonymized-14978628)
Hi Paul,
Thanks for the explanation of how XML is handled by the plugin.
I saw a site saying that if you receive the message “XML-RPC server accepts POST requests only.” then it means XML is not disabled and your site is vulnerable to attack.
I was concerned when i saw this as i thought i had sorted this with your plugin, but then i found another site which allows you to test XML functionality (http://xmlrpc.eritreo.it/) and this confirmed it wasn’t working. So false alarm, my mistake.
You’re right about the headers, i inquired around about this and did find it was due to a caching plugin incompatibility, not due to your plugin.
Yes, my comment was unfair in the way i wrote it. It did imply your plugin wasn’t working correctly which is what i had initially suspected, but have since discovered (on both occasions) it’s working as it should so i should have been more clear. Sorry about that.
All’s good now. Thanks
Plugin Author
Paul
(@paultgoodchild)
Heya, no worries at all. It’s a huge plugin and there’s a lot to learn about it, and security in general.
I appreciate you pointing these things out… we rely on other folks finding issues since it’s impossible for us to see them all.
I know that a lot of folks read these public forums, and I want to always clear up anything might look to undermine our integrity… doing fair and honest work is a cornerstone of who we are, and that’s why I was very verbose in my response. 🙂
As always, please do feel free to fire along any questions you have and we’ll get to the bottom of it.
Thanks again!
