The WordPress app for my phone never used to recognise this blog, and now it does. This pleases me, and to celebrate, I’m blogging directly from my phone for the first time.
The problem, boredom-seekers, lay with my xmlrpc.php file. Understand that before installing the WordPress app, I had no idea what an xmlrpc.php file was, but when I tried to add this self-hosted blog to the app it informed me that not only was I the owner of one, but that there was a problem with it. It seems rpc stands for Remote Procedure Call, and the file uses XML as an agreed format for allowing things like the WordPress app to affect the blog on my server. Or something. The problem is that my host, Namesco, doesn’t let anyone access the xmlrpc.php file as a matter of course because they’re afraid of hackers. I asked them to make an exception in this case, but they responded that none could be made, and if I really wanted to I could change the name of it manually (to something like xmlrpc_fart.php) and tell whoever was wanting to make procedure calls to my blog what I’d called it. Well I didn’t bother doing that. Can you imagine? “Hi, WordPress! Could you recode your iPhone app to look for xmlrpc_fart.php instead of xmlrpc.php just for me please? Ta.”. It turns out, though, that that’s just what they’ve done.
First with an update to v1 of the app and then with a separate app called WordPress 2, when it can’t find the xmlrpc.php it asks you for the new name you’ve chosen for the file. (I’ve cleverly misled the hackers by not calling mine xmlrpc_fart.php!)
So now I can use the app to blog. And I believe I just have.
The problem with xmlrpc is that a few versions ago it contained a cross-site scripting exploit that was being used to escalate privileges. It’s fixed now, but if you’re on shared hosting then there’s no guarantee that other sites using WordPress on the same servers would have upgraded. In fact it’s more likely that most people will have just installed WP 5 versions ago and just left it, complete with vulnerabilities.
It’s good to see that the WP team have realised that this is a likely scenario and addressed it.
Agreed. Though when I had the problem I failed to find any mention of it on the WordPress support forums, it seems they were plenty aware of it and have found a creative solution. Much props.