XML-RPC

From IndieWeb


XML-RPC is an outdated and verbose use of XML over HTTP to make API calls, sometimes errantly used as a synonym of MetaWeblog API (the most well known example thereof), that enables and implicitly encourages using your actual username and password (instead of OAuth) with client software, thus overprivileging that software, as well as possibly transmitting your password in the clear over HTTP.

How to disable

WordPress XML-RPC

If you have any experience with these methods, please add it here!

Criticism

Verbose

β€œXML-RPC does not add any value over XML … 4 times the number of bytes compared to plain XML to encode the same objects, which is itself verbose compared to JSON.” More:

Encourages Password Antipattern

XML-RPC depends on the user’s username and password being entered into every third party XML-RPC client software to send to the XML-PRC server, an example of the password antipattern.

Even for just this reason, XML-RPC is to be avoided by both client and server software, and OAuth based protocols (e.g. Micropub) should be used instead.

Encourages passwords over HTTP

Even if both client and server are from the same manufacturer / project, because XML-PRC depends on username and password being transmitted, possibly in the clear (i.e. over HTTP not HTTPS), it makes the user vulnerable to network traffic sniffing, and thus use of XML-RPC apps creates a likely security risk for users.

See Also