Jetpack for WP: is anyone doing this?

unknownhost

New Member
I get this:

Your Jetpack has a glitch. Something went wrong that’s never supposed to happen. Guess you’re just lucky: xml_rpc-32700
Try connecting again.

Error Details: The Jetpack server could not communicate with your site's XML-RPC URL. Please check to make sure http......xmlrpc.php is working properly. It should show 'XML‑RPC server accepts POST requests only.' on a line by itself when viewed in a browser and should not have any blank links or extra output anywhere.

Would have hoped something seemingly so simple would go out of the box...
 

KH-Jonathan

Director of Managed Services
Staff member
@unkownhost

A lot of people keep xmlrpc.php disabled for security reasons - it's been the center of a lot of attacks lately.

Are you able to visit your domain /xmlrpc.php in the browser? Do you receive the response that this messages states you will? (XML‑RPC server accepts POST requests only.)?
 

unknownhost

New Member
Ah security and WP you dont say! Ok no surprise then

Visitng:
Warning: ini_set() has been disabled for security reasons in /home/a.../public_html/wp-includes/load.php on line 278

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/a.../public_html/wp-includes/load.php:278) in /home/a.../public_html/wp-content/themes/a.../config-templatebuilder/avia-shortcodes/masonry_entries.php on line 33

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/a.../public_html/wp-includes/load.php:278) in /home/a.../public_html/wp-content/themes/a.../config-templatebuilder/avia-shortcodes/masonry_entries.php on line 33

Warning: Cannot modify header information - headers already sent by (output started at /home/a.../public_html/wp-includes/load.php:278) in /home/a.../public_html/wp-includes/class-IXR.php on line 372
XML-RPC server accepts POST requests only.

So should I simply forget Jetpack, because of xmlrpc security, and move on?

Is there anything that should be addressed with what I currently have?
 

Dion

Member
Jetpack itself is a bloated, resource-intensive mess that slows down your WordPress installation. Perhaps you should consider that error message a blessing in disguise. ;)

The first thing I do when installing WordPress for myself or for clients is to rename xmlrpc.php to something random. Jonathan is right; it's a known vector for attacks. You do lose some features if xmlrpc is disabled, but for me, the cost of those features far outweighs their benefits.

I'd love to do the same with admin-ajax.php (another known attack vector), but I haven't yet found a way that doesn't also break WordPress.
 

KH-Jonathan

Director of Managed Services
Staff member
Jetpack itself is a bloated, resource-intensive mess that slows down your WordPress installation. Perhaps you should consider that error message a blessing in disguise. ;)
I've noticed this as well on the customer's we have who run it. It significantly slows their site down.
 

Dion

Member
Among other things, "pingbacks" in comments require xmlrpc.php. That's a "feature" I don't mind losing since it's become a popular method for comment spam.

One thing to remember is that WordPress will put the file back on every update. To deal with this, I wrote a simple WP plugin that checks the WP version, and if changed, deletes xmlrpc.php and wp-trackback.php. Trackbacks are also a popular method for comment spam.
 
Top