XML-RPC API unbundled from Serendipity 0.9

In the current development version of Serendipity, we have unbundled the XML-RPC API functions from the release version and made the functionality to post entries via XML-RPC (MT/Blogger API) calls available as a additional plugin called Post via XML-RPC (serendipity_event_xmlrpc).

The reason for this is that very few people use XML-RPC posting to our experience, and it is a inherent security risk to have this functionality available if you don't use it, as the past has proven. To overcome this possible vulnerability, you need to now actively install the mentioned plugin to make XML-RPC posting available. Sending and receiving trackbacks is NOT affected by this, only the "Server"-Part of that API is.

The URL for the API endpoings will not change; if you have not installed the plugin, you will see an error message displayed. Outsourcing this functionality as a plugin allows the Serendipity Team to respond easier to new issues with the plugin and make enhancements to the XMLRPC module.

A general advice for Serendipity 0.8.3 users is to remove the serendipity_xmlrpc.php file if you do not use XML-RPC entry posting.


Trackback specific URI for this entry


Display comments as (Linear | Threaded)

Isotopp on at :

What does this technobabble mean?

It means that S9Y 0.8.3 and up will come with a function disabled that you do generally not use. By disabling this normally unused function, S9Y offers one less function to the net that may be used to attack the software. This is generally considered a good thing and a safer default that offering unused and badly maintained functionality.

If you happen to use an external editor on your PC to write your entries for your blog instead of the editor provided by S9Y, then and only then you need to enable the XML-RPC posting plugin. This is not the case for most users of S9Y.

Wesley on at :

Current SVN listing still shows the XML PHP file as part of the trunk as well as the branch. I wonder if they will be removed now?

Garvin on at :

That's intentional. The file is still there, but it has "empty"/dummy content to support the plugin hook.

Jannis on at :

Just like my head.

Keilaron on at :

Stupid question: I use the LJ-post plug-in, which uses XML-RPC to post to LJ. Is this plug-in affected by this change?

Isotopp on at :


Only incoming XML-RPC is affected by this change. We want to avoid to run a server functionality that most installations never use (but must maintain to stay secure).

Outgoing (Client) functionality is not affected.

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed
Markdown format allowed