X-Pingback and XMLRPC

5 Views

According to old post: How to secure WordPress XMLRPC?, every API require authentication.

So, what is the point of adding X-Pingback in every public request?

curl -I http://ma.tt
..
X-Pingback: http://ma.tt/blog/xmlrpc.php
Content-Type: text/html; charset=UTF-8
..
Post Views: 5

Related posts

Leave a Reply

1 comment

  1. I think that when talking about XMLRPC in the context of wordpress you usually mean to talk about authoring tools utilizing the XMLRPC protocol, and not about the protocol in general.

    In case of pingbacks and trackbacks the XMLRPC protocol is utelized to send content (comment) to your site by some other entity which is probably doing it in some automattic way. That entity needs to know the endpoint to which to send it request based on the address of the page where the comment should be published, there for you need to be able to retrieve the address of the endpoint from the URL of the page and this is done by the page adding the address as an HTTP header (maybe it can also be done by adding a meta tag to the HTML).

    TL;DR; the HTTP header is related to supporting pingbacks which works in different way then XMLRPC based publishing

    Unfortunately even when pingback and trackbacks are disabled the HTTP header is being sent. If you want to disable it, add the following code to your theme functions.php (taken from here)

    function remove_x_pingback($headers) {
    unset($headers['X-Pingback']);
    return $headers;
}
add_filter('wp_headers', 'remove_x_pingback');