Wednesday, April 24, 2024

Fixing xmlrpc.php security issues for desktop blog applications

Desktop blogging to WordPress on Mac OS X

There are a number of great desktop blog posting applications for Mac, which allow for easy posting to WordPress (and other popular platforms). Some hosts, however, block direct access to the xmlrpc.php file, for security reasons. All desktop WordPress editors depend on access to this file, and will fail to work without it. So what to do if it’s blocked?

Some of the apps affected by this issue are:
* app for OS X
* Bloggo
* MarsEdit

Getting around the blocked xmlrpc.php issue

This solution will work perfectly for Bloggo and MarsEdit. Unfortunately App for OS X lacks the necessary flexibility in it’s handling of your blog URL. Simply put, it’s lock into to only look for the xmlrpc.php file by one name and in one place (i.e. it’s designed to only work for a default WordPress installation).

Step 1 – Rename the file

First, you’ll need to rename your xml-roc.php file. Name it anything you like (although make sure it has the .php extension). For example, xmlrpx.php is enough, and that’s the name I will use (as an example) in the rest of the instructions. Obviously, if you use some other alias name, then use that where ever you see xmlrpx.php in this article.

Step 2 – Create an alias

You need to edit the .htaccess file in your site’s root directory. Do this in your preferred FTP client, or via SSH.

Somewhere near the top, add the following line to the .htaccess file. This instruction applies to any server with Apache, and requires mod_alias to be activated (it typically is). Replace xmlrpx.php with whatever you named your xmlrpc.php file.

# Redirect renamed xmlrpc file
<IfModule mod_alias.c>
RewriteEngine On
RewriteRule ^xmlrpc\.php?$ xmlrpx.php$1 [NC,L]

What this does is instruct Apache to use xmlrpx.php as an alias for xmlrpc.php. When a host blocks access to xmlrpc.php, it’s typically done by setting a rule in the server firewall to block all requests to that filename. But because you are using an alias to access that filename, the firewall rule. Simple.

Step 3 – Set up your desktop blog application


In MarsEdit or Blogo (or whichever Desktop client you are using, if possible) you will need to edit your blog settings (if it’s already set up) or add a new blog. Either way, bring up the blog settings dialogue, and set it up as follows:

Use the xmlrpx.php alias in the API Endpoint URL setting.

That’s it. MarsEdit should now have no issue finding and accessing your firewall protected xmlrpc.php file.


If you have already created an account in Blogo you’ll need to just delete it, and create a new one. It does not let you edit the API Endpoint, so we have to trick it into using the alias.

Add a new blog account, and use the following URL structure:

Blogo will now look to the alias for the xmlrpc.php endpoint. You’re all done.

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox