Somewhat misleading headline from Red Sweater Blog. Wordpress 2.6 will disable it by default — you can turn it back on if you need it.
Daniel Jalkut has an understandable reason to be critical: his well-regarded MarsEdit application relies on remote access.
But he’s wrong: disabling it is a good idea. Most blogs never use it, and it’s an obvious vector for attacks. A user sophisticated enough to use MarsEdit can follow a simple instruction to click one checkbox in WordPress to activate remote access. It’s not a meaningful roadblock.
Improving security includes fixing all the holes, and this is a pretty obvious hole. Jalkut’s blog got hacked by the same thing that hit me. It sucked. But I think it’s consequence of WP’s popularity more than any profound weakness in its programming (or PHP). WordPress is the biggest target. I’m happy to see it taking action to become more secure.
Articles