What is the reason to disable RSS?

I didn’t get one thing. Why people want to disable RSS? Why you didn’t want users to subscribe to your content via RSS? There are a few die-hard fans of RSS (myself included), who never subscribe to content via email (because many factors). What reason to disable RSS?


Hey @LinasSimonis

We disable RSS because we don’t run blogs at all on the sites in question.
Our content is private and confidential and may very likely contain client information.
RSS is supposed to make it easy for people to follow your content AND for search engines to index it. The content is available in machine-readable format.
EDITED TO ADD LINE: It is also available to anonymous users (so users who are not logged in to your site).

In addition to disabling all RSS feeds, I don’t use posts, I just use pages (or custom post types in some cases), partially for this reason.

@timkaye runs private membership sites, so would be nice to know how he deals with this?

1 Like

This depends on site audience and content strategy.

In general, subscribtion-alike processes had moved to social networks nowadays. An amount of RSS and even email subscribers is rather small comparing to Instagram, Twitter, Youtube etc. Younger audience doesn’t use RSS. So this communication channel is decreasing from year to year and to my opinion has a very small chance to rise again in future.

On the other hand, supporting any technology or channel has costs. Writing posts or newsletters is not always profitable comparing to other ways of communication. We can spend an hour preparing a text, but we also can spend it creating a bright Instagram story, for exmple. And as we always deal with limited resources, we have to choose channels with best ROI and focus on them. It’s much more profitble to strengthen points that are already strong rather than carrying the weak ones by inertia. Although it may seem irrational sometimes until you check the results.

I don’t mean RSS is totally useless. Perhups it’s still a good channel for media, blogging or some types of eCommerce. And plenty of people still love it.

But most of my sites really don’t need RSS functionality as they have no internal blogs and the amount of direct subscribers is 10-100 times smaller than on Instagram account. Keeping RSS (or any other unused piece of code) enabled is excessive as I have no extra human resources to monitor related security issues, possible content duplication, accessability, legacy and other technical aspects. It’s much simplier to disable it and focus on something important.

P.S. Certainly, it’s just an IMHO. I understand that there are other ways and situations and respect any private experience.

1 Like

OK, agree, private sites. But I read constantly suggestion to disable it on public, constantly updated sites.

Options, not decisions!

No, much simpler is to leave it enabled. The RSS functionality is so simple, that I can’t imagine any security issues here. And the only one additional reader can be the next biggest customer one day.

Communication channels diverged, readers will be reached on more and more channels, so the reality is we need more, not less options to subscribe to the content.

Well, let future and petitions system judge us :slight_smile:

We are not suggesting that RSS be removed as an option. :bouquet:
We are suggesting that it be disabled by default.
Or preferably moved into a core plugin.
Because in general businesses need entirely private sites.
And currently, if you want to disable RSS, you need to install a third party plugin, create your own plugin, or clog up your functions.php file.
You will still be able to access RSS functions (with one click!) if you want them.
It is just that the core should only contain things that almost EVERYONE needs. That is not the case for RSS.


Can you explain, please?

Sure @LinasSimonis , but I do suggest we start a new topic since it is more business strategy related. I’ll do that in a General Discussion thread, so it doesn’t clog up team discussions about the Core.
I’ll do that in a few minutes.

Also, it would be nice if a mod can split off the RSS discussion from the one main discussion about blogging features, please?

I would be difficult to find among this thread and I think there is some value to having it easily available to access so people can share their experiences and opinions.
It would be nicer to have it in the Coding Forum, I think. More people would be able to benefit from it there.

It starts here:


@anon71742606: Since you asked, I disable RSS on all my private membership sites. As you have explained, using RSS would cause an information leak which would undermine the purpose of such sites.


Feeds leak usernames. If hackers have your site usernames, hacking the site is 50% easier.


To sum up:

As Code Potent already mentioned, its also a security issue.
But reworking this into a decent, better documented API [1], which is disabled per default (with an option or constant to re-enable it), could get rid of that. One could add standard options about using pseudonymes for authors instead, or just their real names (as long as they differ from their LOGIN names).

The ClassicPress core plugin option seems to be the best, because then one also is able to much easier fork the feature, and then improve it. Or just add helpful stuff for better control, security fixes and PR / sync it with its core plugin main branch.

The essential thoughts behind this are similar to WP Feature plugins, but not neccessarly that nasty and adversarial (think “Gutenberg”).

cu, w0lf.

[1] On a side note: Its already one, but poorly documented. I’ve just started a fork / partial rewrite of the JSONFeed for WordPress plugin (with focus on ClassicPress, of corpse :smiley: ) , so I’ve necessarly had to dig deeper into that topic.


Hey Wolf,

I use nicknames on all of my installations, but nickname registration is a real pain.
So, if you’re looking into pseudonyms, perhaps it may be a good touch-point to force nicknames for registration, if the option to “anonymize” the RSS is ticked?
Or preferably, an option to force nicknames regardless?

1 Like

For me the core plugin option - other than forking - can lead to major opportunities to improve that feature. I like to use RSS? That plugin can bring that feature and extend it as much as possible without having to worry to have “heavy” code.


Agree, that RSS as the core plugin is the best option.

Not sure about the real security improvement when usernames are hidden. IMHO, in most real life situations this is a questionable. Being on the paranoid side, I’m forcing everyone to use at least 30 characters random passwords with lowercase/caps/numbers/symbols. Plus some paranoid security options (Citadel mode after 3 wrong attempts (WP Cerber plugin), and good luck, hackers.

But still, core RSS plugin with configuration options is the best solution.

The problem is that that is not realistic in an organizational business context.
If you force someone to use 30 character passwords, I PROMISE you that it is going to be written on a paper and taped to the person’s desk at the office.
It is not just about keeping hackers out, it is also about making sure that employees don’t use the system maliciously, particularly not with someone else’s credentials.


I am so nasty, that require to send to me a .kdb file to prove they installed KeePass. After installing it is easier to use it than not to use. Autotype function is fantastic.

Also, using KeePass, it is easy to use obscure usernames, like the same 30 char. low/caps/numb/symb. If this can be possible one day (preserving the real usernames), this can be the real improvement to the security.

But I am not a developer, so it can be hard to implement this tactic on the large scale.