Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Removing the ability to disable XML-RPC in emergency release 5.0.3

This entry was posted in Wordfence, WordPress Security on April 10, 2014 by mark   5 Replies

We screwed up. Wordfence 5 was a very big release for us and in our haste to get it out the door we didn’t sufficiently test one of the features we added towards the end of the development cycle: The ability to disable XML-RPC.

Turns out that adding this feature and turning it on by default broke many users ability to remotely publish to their sites along with several mobile apps.

To fix this we just put out Wordfence 5.0.3 which has only one difference: We have completely removed the ability to disable XML-RPC.

We did this after some feedback from the community and WordPress core developers.

So how do we avoid this from happening in the future? We’re going to take a long hard look at the process we use to evaluate whether or not to add a feature and include it in a particular release. And we’re going to reevaluate our software quality assurance processes and procedures.

Wordfence has grown up into a very popular product and is used by tens of thousands of WordPress publishers to keep their sites safe, secure and now with Wordfence 5, fast. It’s time we take our company through the next stage in its evolution so that it keeps pace with the demands of our large user-base.

So, from me, Mark Maunder, the creator of Wordfence and lead developer, please accept my sincere apology for any inconvenience caused by us including this feature. Wordfence 5.0.3 fixes the issue and I can assure you that we’re focused on fixing the larger issue of delivering enterprise ready, rock solid and well tested software.

Expect more on this in the near future as we work with the community to improve our testing and release process.


Mark Maunder – Wordfence founder and Feedjit Inc CEO.





Did you enjoy this post? Share it!

5 Comments on "Removing the ability to disable XML-RPC in emergency release 5.0.3"

C├ęsar April 11, 2014 at 8:16 am • Reply

And Why not leaving the option disabled?

I use it and now I can't update until found an alternative.

mark April 11, 2014 at 9:16 am • Reply

We'll probably add it back in the next release and make darn sure it's off by default.



Keith Davis April 11, 2014 at 2:09 pm • Reply

Hi Mark
I don't use WordFence but I heard about this over on the WordPress Tavern blog.

These things happen but not all plugin devs sort out the problem as quickly and graciously as you have done.

Well done for that and I may give the plugin a try.

mark April 11, 2014 at 3:06 pm • Reply

Thanks Keith.

Oscar April 22, 2015 at 9:50 am • Reply

So can you clarify... how do we get this option back? The option to enable/disable is not in your plugin (free), or in my native dashboard even after I remove your plugin. This should always be an option since you don't "create" this feature, you shouldn't disable it or change the status of it unless explicitly requested.

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.