by Eric Mann
3.7 (3 reviews)
Secure XML-RPC
More secure wrapper for the WordPress XML-RPC interface.
Tested up to WP 4 (Current: 6.9)
v1.0.0
Current Version v1.0.0
Updated 11 years ago
Last Update on 30 Aug, 2014
Synced 6 hours ago
Last Synced on
Rank
#18,683
+13 this week
Active Installs
70+
—
No change
KW Avg Position
59
—
No change
Downloads
6.8K
+3 today
Support Resolved
0%
—
No change
Rating
74%
Review 3.7 out of 5
3.7
(3 reviews)
Next Milestone 80
70+
80+
379
Ranks to Climb
-
Growth Needed
8,000,000
Active Installs
Pro
Unlock Exact Install Count
See the precise estimated active installs for this plugin, calculated from real-time ranking data.
- Exact install estimates within tiers
- Track install growth over time
- Milestone progress predictions
Need 5 more installs to reach 80+
Rank Changes
Current
#18,683
Change
Best
#
Downloads Growth
Downloads
Growth
Peak
Upgrade to Pro
Unlock 30-day, 90-day, and yearly download history charts with a Pro subscription.
Upgrade NowReviews & Ratings
3.7
3 reviews
Overall
74%
5
2
(67%)
4
0
(0%)
3
0
(0%)
2
0
(0%)
1
1
(33%)
Tracked Keywords
Showing 1 of 1| Keyword | Position | Change | Type | Updated |
|---|---|---|---|---|
| xmlrpc | 59 | — | Tag | 7 hours ago |
Unlock Keyword Analytics
Track keyword rankings, search positions, and discover new ranking opportunities with a Pro subscription.
- Full keyword position tracking
- Historical ranking data
- Competitor keyword analysis
Track This Plugin
Get detailed analytics, keyword tracking, and position alerts delivered to your inbox.
Start Tracking FreePlugin Details
- Version
- 1.0.0
- Last Updated
- Aug 30, 2014
- Requires WP
- 3.8+
- Tested Up To
- 4
- PHP Version
- N/A
- Author
- Eric Mann
Support & Rating
- Rating
- ★ ★ ★ ★ ☆ 3.7
- Reviews
- 3
- Support Threads
- 0
- Resolved
- 0%
Keywords
Upgrade to Pro
Unlock keyword rankings, search positions, and detailed analytics with a Pro subscription.
Upgrade NowSimilar Plugins
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer
7K+ installs
#2,736
Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations
40K+ installs
#929
Anti-Malware Security and Brute-Force Firewall
100K+ installs
#295
WPS Limit Login
100K+ installs
#309
reCaptcha by BestWebSoft
100K+ installs
#316
Frequently Asked Questions
Common questions about Secure XML-RPC
The old username/password paradigm can still be used, but will result in a X-Deprecated header being returned by the server. From now on, you will send an Authorization header. This header will be the publishing application's public key, two pipe (|) characters, and a hash of the application's secret key concatenated with the body of the request.
Say your application has the following information: * Public Key: b730db0864b0d4453ba6a26ad6613cd4 * Secret Key: 7647a19f5bf3e9fd001419900ad48a54 And you want to make the following request (whitespace/indentation added for readability, but is removed when calculating hashes): <?xml version="1.0"?> <methodCall> <methodName>wp.getPosts</methodName> <params> <param> <value><i4>1</i4></value> </param> <param> <value><string></string></value> </param> <param> <value><string></string></value> </param> </params> </methodCall> Note that the second and third parameters (traditionally username and password) are empty. Usernames and passwords can still be specified, but will result in the server returning an X-Deprecated header. Your Authorization header would thus become: b730db0864b0d4453ba6a26ad6613cd4||3fac15f99f7a178f922bcc4942e62dc9001b2a45118fc3a6f3aebd77d25f4d58 The second part of the header is generated in PHP by calculating: hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . {request_body} ) ) WordPress will read the header and log you in as usual, but you never need to send your password across the wire. In this paradigm, application secret keys should also be treated as passwords - they are sensitive information!
Some developers raised concerns about length extension attacks in previous editions of the plugin. While length extension isn't strictly necessary when dealing with XML-based messaging, a double hash helps end the discussion around potentially-related vulnerabilities. The double-hash is similar to but simpler than HMAC and is fairly easy to implement in any programming language. Just note, PHP's hash() function returns a base64-encoded string, not a raw hash of the data passed in.
Not necessarily. The latest version of the plugin adds a new XML-RPC method to the system that allows for the generation of user-specific application keys remotely. Please only ever call this method over a secure/trusted network connection when setting up an application for the first time.