Defender pingbacks/trackbacks issue

When I’m disablling pingbacks/trackbacks under Defender security tweaks, XML-RPC also get disabled. The same while I’m disabling XML-RPC, pingbacks/trackbacks get disabled. I would like to keep enabled XML-RPC not pingbacks/trackbacks.

Also, it would be ideal if it where possible to have XMLRPC off as default for all sites on the network except the one or two that need it for publishing apps or external services like ifttt

  • Adam Czajczyk
    • Support Gorilla

    Hi RavanH

    I hope you’re well today and thank you for your question!

    The “pingback/trackback” functionality is actually using/based on XML-RPC so it wouldn’t be possible to turn XML-RPC off while keeping the “pingback/trackback” on. However, it is possible to disable only “pingback/trackback” without disabling XML-RPC entirely.

    I think you might want to take a look at this post which explains how Defender is handling this:

    https://premium.wpmudev.org/forums/topic/disabled-xml-rpc#post-1350227

    That being said, if you only enable “Disable Pingback and Trackback”, it does indeed seems to disable also the XML-RPC and I admit I’m not sure if that’s on purpose or if it’s more of a “wrong indication” of tweaks applied. Therefore, I asked our developers in charge of the plugin for consultation on this and am awaiting their response.

    Please keep an eye on this ticket and I’ll update you here as soon as possible.

    Best regards,

    Adam

  • RavanH
    • The Crimson Coder

    Hi Adam, what I was hoping to do is disable ping/trackback while keeping XMLRPC open but Defender does not let me do that. The inverse neither (xmlrpc closed while only pings open) although from https://premium.wpmudev.org/forums/topic/disabled-xml-rpc#post-1350227 that is actually possible (by blocking all xmlrpc methods except pingback) — but I’m not really interested in that.

    The ideal would be to be able to set XMLRPC closed for all sites in the network by default, but opened for only a few where site admin needs it for IFTTT or post app. That way, most of the sites will not suffer any attacks by XMLRPC while still allowing it for some (on request, for example, or by allowing it as an option in their site admin)… but since this is not possible, I now need to open up XMLRPC for the whole network (because of one site) and it turns out I have to allow pingbacks for all sites as well :slight_frown:

    I hope it’s a bug, and not by design…

  • Adam Czajczyk
    • Support Gorilla

    Hello RavanH

    Thanks for your response.

    I think I should explain a bit more what I meant. What’s said in the ticket that you linked to is true but I probably wasn’t specific enough: you cannot disable XML-RPC and keep the pingbacks/trackback – I mean by this disabling XML-RPC entirely. Disabling some of it’s “methods” – yes, that can be done and that does indeed let you keep “pingbacks/trackbacks” enabled. I think the confusion is because both these things are commonly referred as disabling “XML-RPC” while it’s not exactly the same :slight_smile:

    But that’s just a side note. When Defender disables XML-RPC, trackback/pingbacks are disabled as a consequence becuase they rely on XML-RPC protocol. This is not really a bug, it only means that XML RPC was properly and entirely disabled.

    Disabling only pingbacks/trackback, however, should not be disabling the XML-RPC entirely. And also, taking into account that we do have both these options in Defender, it would actually make sens, in my opinion, to do it the way you say/suggest: for “Disable XML-RPC” tweak disable only its all methods except for those related to pingbacks and trackbacks and for the pingback/trackbacks tweak only disable pingback/trackbacks while keeping the rest intact – that sound as a logical thing to do :slight_smile:

    To sum it up, I think I might have caused some small confusion (unintentionally) with my initial response but, as I already mentioned, I’ve asked one of the Defender developers to take a look into it. It’s weekend and some of the developers are not working over weekends so I’m still waiting for the response but I’ll update you here as soon as I hear back from him.

    Have a great day,

    Adam

  • RavanH
    • The Crimson Coder

    Hi Adam, yes I understand :slight_smile: thanks for clearing it up even further.

    One more case: Jetpack relies on XMLRPC too apparently. Not sure which methods specifically but I will need to allow Jetpack to work properly on the entire network. So maybe an additional feature request: allow Jetpack specific XMLRPC requests.. Or maybe allow XMLRPC requests from specific IP adresses?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.