The XML-RPC Endpoint filename is hardcoded in the code (aka: my Host Blocks XML-RPC Access!)

[daniloercoli]

It's impossible to rename the file 'xmlrpc.php' to something different (for eg when your hosting provider blocks the access to the xmlrpc.php file) since the prefix "xmlrpc.php" is hardcoded within the src code. You can rename the file but the XML-RPC call wp.getUsersBlog always returns the hardcoded URL.

Same issue for the pingback link and the EditURI link.

We pubblished a plugin that should help users for the time being:
​http://wordpress.org/extend/plugins/rename-xml-rpc/

[westi]

I think we should maybe come up with an alternative endpoint name for WordPress in general.

Maybe we could support ​http://example.com/?xmlrpc=1 and ​http://example.com/xmlrpc/ as endpoints in core for the rewrite less and rewrite full usecases.

It seems to be common unfortunately for hosts to block the filename xmlrpc.php

[daniloercoli]

Maybe we could support ​http://example.com/?xmlrpc=1 and ​http://example.com/xmlrpc/ as endpoints in core for the rewrite less and rewrite full usecases.

This would be fine, but probably we should also support ​http://example.com/?rsd=1 and ​http://example.com/rsd/ as RSD endpoints in core.

[josephscott]

If we are going to do this we should probably look at filtering all of the 'xmlrpc.php' values. Perhaps an 'xmlrpc_file_name' filter?

[nacin]

We'll probably want to introduce get_xmlrpc_url( $type = '' ), where 'type' can become 'rsd'.

[wonderboymusic]

Took a stab at this, most of the URLs were obtained using different flavors of site_url().

The only bizarre one was wp_xmlrpc_server::_multisite_getUsersBlogs() which appears to be trying to support a network of many sites which have many blogs. site_url() should work in this scenario as well.

Adds function: get_xmlrpc_url( $type = '' ) which is filtered by 'xmlrpc_url'

[nacin]

Actually, I think this can be done a bit easier. There's an rpc "scheme" we pass to site_url() et al, which is used for forcing SSL when SSL login or admin is forced.

We should just always pass 'rpc' as the scheme to site_url(), which essentially means modifying the two instances in class-wp-xmlrpc-server.php. daniloercoli, that should be enough, no?

[markoheijnen]

I was even thinking even more difficult then this. I was thinking about moving all the code from xmlrpc.php to somewhere else and make xmlrpc.php to call that code. And then create some kind of endpoint system like /index.php?endpoint=xmlrpc. This way you can even use the rewrite API to have it another name as usual.

Most likely my mind is thinking more difficult but with this we can have added some steps for a RESTFUL or JSON API.

[bpetty]

Sounds like this feature (not a bug) will likely need to be punted from 3.5 in the interest of further discussion about possible new endpoints.

[markoheijnen]

This is a bug that does need to be fixed. It can result in an enhancement in a better API for new endpoints.
I did punted for now and hopefully this is something that can be discussed on the summit.

[nacin]

This is not a bug. Allowing the endpoint to be changed is an enhancement.

The "bug" here is that some xmlrpc.php references are missing 'rpc'. I'll be fixing that in 3.5, but the rest of this should be punted.

[nacin]

In [22171]:

Reference xmlrpc.php with the 'rpc' site_url() argument to ensure a proper scheme is applied. see #18731.

[wonderboymusic]

Should 'pingback_url' and the RSD <link> be site_url with rpc scheme as well?

[Zengy]

Pingbacks don't require a login/password or https to work, so I don't think this is a necessary fix.

[markoheijnen]

This has nothing to do with login/password or https.

[johnbillion]

Related: #28424

[wonderboymusic]

This has a commit. For edge cases, use the 'site_url' filter.