Security Rename

Hello Community, I noticed that some feature requests don’t cover all users.

My first request is to keep the XML-RPC feature integrated, but with the possibility to customize the access URL, and the ClassicPress core obfuscates this custom URL in the code, just like the Hide WP plugins. The same applies to theme and plugin URLs. In this way, the ClassicPress framework is intact, but in the code shown, customizations made by the user would be present, which will certainly greatly increase security.

Example: URL /themes/blue butterfly

On the code obfuscation screen, there would be the option, themes, is a field to enter the modified (obfuscated) URL
Rename theme URL: /SwanaZulMinotaur

Rename the child theme URL:

/custom URL name.

The same for plugins, with the option to rename automatically or manually for each plugin. Even when a new plug-in is installed, the URL is automatically renamed and can be manually modified by the user.

The same for login and new user registration URLs.

Please keep ClassicPress as it is. Clean, light and just the foundation of the CMS

Another option that would make it much easier is to add an option for each page and post: noindex so that we can manage, which pages and posts can be indexed or not, in search engines.

Finally, provide a general field to insert meta tags in the header or footer.

Hi. Welcome to the ClassicPress community.

One thing you should know is that a single petition should (ideally) only address a single feature request, so that it is more manageable.

I’m not a developer, so I can only give you a couple of comments.

  1. XML-RPC is deprecated, and it is already being considered (planned?) to move it out of the CP core, and to make it a “core plugin” instead. But this is still in a future version of CP.

  2. I can’t speak for everyone, but I think that the community in general doesn’t believe in “security by obfuscation.” It is far better to use strong passwords to protect CP, and to apply security hardening, especially on the server level.


Hello! Thank you very much! Tell me, why would XML-RPC be obsolete? In IOS, for example, WordPress Mobile is widely used, and on Android, millions of users manage their websites through it. Is there another way to connect? I update my website 90% of the smartphone. The issue of obfuscation improves privacy. For example, it’s very difficult to find out which plugins you use. Strong passwords do help, but better than “not finding a needle in a haystack, it’s not even seeing where the haystack is”, do you agree?

XML-RPC has been superseded by the REST API.

Obfuscation is a waste of time because hackers do not first attempt to find out what software is being run on a site and then attempt to hack it accordingly. They simply set up bots to attempt generic hacks. If there’s a security problem on a site that a bot tries to hack, and the bot is programmed to seek it out, then obfuscating the code won’t make any difference to the outcome.

Hello, thank you very much for contributing. But by disabling XML-RPC, the WordPress mobile app, doesn’t access the site. I took the test here. What do you suggest?

I don’t know. I don’t use that app.

So you just understood, why can’t you delete XML-RPC? Many, many users around the world, just like me use it!

No-one has suggested deleting XML-RPC!

What is being planned is that it (and several other things) are moved into plugins. We call them core plugins. This will mean the majority who don’t use them won’t get redundant code on their sites, while those who do use them will carry on as before.

So, I think it’s totally unnecessary to create “another plugin” to run the backend. Nothing like a native function. Plugins running on the Backend usually require hooks in the code, if they are not well sized, they will never have the efficiency of native code. In the race to simplify, we have to be careful not to complicate.

It’s not “running the backend”. XML-RPC just provides an API which, for the vast majority of users, is completely redundant (and a source of security issues).

As you wish. In the meantime, I’m still on WordPress.

I thought you were interested in improving security.

Core plugins are not regular plugins. They are native functionality. They will be natively integrated before any other plugins or themes load, just like they are in the core now. They will also have their own screen/section separate from regular plugins.

There will be no difference in performance between loading XML-RPC today and when it moves into a core plugin. But it will improve security as it can easily be deactivated, it also reduces core code so better for maintainability. If you need it, it’s there. If you don’t, it’s not and your website is more secure. XML-RPC will eventually leave WP core, it’s just a matter of time as everyone switches to API.

Comparing core plugins to regular plugins is comparing apples to oranges. They’re are not the same.

I hope that explains it better. Hence, I will close this petition.

1 Like

This topic was automatically closed after 3 days. New replies are no longer allowed.