by Eric Mann
3.7 (3 reviews)
Secure XML-RPC
More secure wrapper for the WordPress XML-RPC interface.
Tested up to WP 4 (Current: 6.9.4)
v1.0.0
Current Version v1.0.0
Updated 11 years ago
Last Update on 30 Aug, 2014
Refreshed 6 hours ago
Last Refreshed on
Rank
#19,496
—
No change
Active Installs
60+
—
No change
KW Avg Position
65
—
No change
Downloads
6.9K
+1 today
Support Resolved
0%
—
No change
Rating
74%
Review 3.7 out of 5
3.7
(3 reviews)
Next Milestone 70
60+
70+
991
Ranks to Climb
-
Growth Needed
8,000,000
Active Installs
Pro
Unlock Exact Install Count
See the precise estimated active installs for this plugin, calculated from real-time ranking data.
- Exact install estimates within tiers
- Track install growth over time
- Milestone progress predictions
Need 5 more installs to reach 70+
Rank Changes
Current
#19,496
Change
Best
#
Downloads Growth
Downloads
Growth
Peak
Upgrade to Pro
Unlock 30-day, 90-day, and yearly download history charts with a Pro subscription.
Upgrade NowReviews & Ratings
3.7
3 reviews
Overall
74%
5
2
(67%)
4
0
(0%)
3
0
(0%)
2
0
(0%)
1
1
(33%)
Tracked Keywords
Showing 1 of 1| Keyword | Position | Change | Type | Updated |
|---|---|---|---|---|
| xmlrpc | 65 | — | Tag | 23 hours ago |
Unlock Keyword Analytics
Track keyword rankings, search positions, and discover new ranking opportunities with a Pro subscription.
- Full keyword position tracking
- Historical ranking data
- Competitor keyword analysis
Track This Plugin
Get detailed analytics, keyword tracking, and position alerts delivered to your inbox.
Start Tracking FreePlugin Details
- Version
- 1.0.0
- Last Updated
- Aug 30, 2014
- Requires WP
- 3.8+
- Tested Up To
- 4
- PHP Version
- N/A
- Author
- Eric Mann
Support & Rating
- Rating
- ★ ★ ★ ★ ☆ 3.7
- Reviews
- 3
- Support Threads
- 0
- Resolved
- 0%
Keywords
Upgrade to Pro
Unlock keyword rankings, search positions, and detailed analytics with a Pro subscription.
Upgrade NowSimilar Plugins
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer
7K+ installs
#2,714
Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
30K+ installs
#953
InfiniteWP Client
200K+ installs
#253
Nextend Social Login and Register
200K+ installs
#256
Anti-Malware Security and Brute-Force Firewall
100K+ installs
#298
Frequently Asked Questions
Common questions about Secure XML-RPC
The old username/password paradigm can still be used, but will result in a X-Deprecated header being returned by the server. From now on, you will send an Authorization header. This header will be the publishing application's public key, two pipe (|) characters, and a hash of the application's secret key concatenated with the body of the request.
Say your application has the following information: * Public Key: b730db0864b0d4453ba6a26ad6613cd4 * Secret Key: 7647a19f5bf3e9fd001419900ad48a54 And you want to make the following request (whitespace/indentation added for readability, but is removed when calculating hashes): <?xml version="1.0"?> <methodCall> <methodName>wp.getPosts</methodName> <params> <param> <value><i4>1</i4></value> </param> <param> <value><string></string></value> </param> <param> <value><string></string></value> </param> </params> </methodCall> Note that the second and third parameters (traditionally username and password) are empty. Usernames and passwords can still be specified, but will result in the server returning an X-Deprecated header. Your Authorization header would thus become: b730db0864b0d4453ba6a26ad6613cd4||3fac15f99f7a178f922bcc4942e62dc9001b2a45118fc3a6f3aebd77d25f4d58 The second part of the header is generated in PHP by calculating: hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . {request_body} ) ) WordPress will read the header and log you in as usual, but you never need to send your password across the wire. In this paradigm, application secret keys should also be treated as passwords - they are sensitive information!
Some developers raised concerns about length extension attacks in previous editions of the plugin. While length extension isn't strictly necessary when dealing with XML-based messaging, a double hash helps end the discussion around potentially-related vulnerabilities. The double-hash is similar to but simpler than HMAC and is fairly easy to implement in any programming language. Just note, PHP's hash() function returns a base64-encoded string, not a raw hash of the data passed in.
Not necessarily. The latest version of the plugin adds a new XML-RPC method to the system that allows for the generation of user-specific application keys remotely. Please only ever call this method over a secure/trusted network connection when setting up an application for the first time.