XML-RPC possible?

Hi @canoaby can you share a URL and explain how do you use xmlrpc?

I need to make some tests to see how to manage this.

I use following App from Play store “https://play.google.com/store/apps/details?id=com.jetpack.android“, it uses the xml-rpc.php to manage content.

my Webpage in preparation: https://goerres-web.de

@canoaby : the 1.2.1 version should solve this issue. Please, give it a try

@mociofiletto, thank you very much! Yes if works (with activated CSP, without collecting mode) very well. Best regards, Martin

Hi, for all trying to enforce security using CSP: the use of xmlrpc is a serious security problem within WP!

For me I enforce xmlrpc.php using DynDNS allow rules within .htaccess that is updated by following script via cron jobs: GitHub – KarlAustin/htaccessDynamicIPs: A little tool for querying DynamicDNS hostnames and inserting the IPs in to a .htaccess file.

This script is using 3 files (

app.cfg.php (a configuration for the script)

dynamic.php (the script itself)

hostnames.dyn (a list of hostnames for dynv6 accounts like “dns1.dynv6.net” “dns2.dynv6.net” … each DNS a line).

my cronjob is setted following:(/usr/local/php83/bin/php -f ‘your path to script folder/dynamic.php’ — ‘–htaccess’ ‘/your path to htaccess file/.htaccess’ ‘–hostnames’ ‘your path to script folder/hostnames.dyn’ ‘–ipv6’ ‘–backup’)

The HTACCESS rule to protect xmlrpc is: (example with replaced IP)

<file "xmlrpc.php"
#* DYNAMIC IPS -- START *#
<RequireAny>
#- dns1.dynv6.net
Require ip xxx.xxx.xxx.xxx
#- dns2.dynv6.net
Require ip xxx.xxx.xxx.xxx
#- dns3.dynv6.net
Require ip xxx.xxx.xxx.xxx
#- dns1.dynv6.net
Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx
#- dns2.dynv6.net
Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx
#- dns3.dynv6.net
Require ip xxxx:xxxx:xxxx:xxx:xxx:xxx:xxx:xxxx
</RequireAny>
#* DYNAMIC IPS -- END *#
</files>

The script looks for the start- and endmarks (within #* *# bracket) and creates a list of allowed ip addresses managed by dynv6 service (Require IP).