XML-RPC is a communication protocol that Jetpack uses to connect your site to WordPress.com. Learn more about XML-RPC and how it powers Jetpack.
What is XML-RPC?
XML-RPC is a protocol that allows communication between your website and external servers. Jetpack uses this protocol to connect your site to WordPress.com. WordPress’s core software has had XML-RPC support since WordPress version 3.4 and is considered a stable tool. You can learn more about WordPress’s XML-RPC API and how it can be leveraged in the WordPress.org developer resources.
How does XML-RPC work?
With Jetpack, your site becomes an XML-RPC server, so that WordPress.com can communicate with while it establishes a connection to WordPress.com. Similar to other API implementations, it requires a preset list of procedures that can be called remotely, as well as a specific list of data it can provide.
Is XML-RPC deprecated?
Although XML-RPC has lost popularity, it’s still widely used. While newer APIs are often built upon other standards like REST or GraphQL, XML-RPC is integrated into a huge number of existing systems, so it’s not going anywhere anytime soon.
Is XML-RPC removed from PHP?
The PHP (PECL) XML-RPC extension provides functionality to simplify development of XML-RPC APIs. Beginning with PHP 8.0, the extension is no longer bundled into PHP and needs to be installed separately.
Jetpack does not use this extension. Jetpack sites are not affected by this change. Jetpack includes its own implementation of XML-RPC that does not rely on this PHP extension.
What security concerns are there with using XML-RPC?
Just like most technologies, it’s neither secure nor vulnerable by itself. It all depends on the particular implementation, and Jetpack provides the most secure way to use it.
Typical integrations with an XML-RPC API send a username and password in plain text to facilitate communication between your website and the service leveraging it. This does make the use of this API less secure. However, Jetpack’s XML-RPC integration is different.
How is Jetpack’s XML-RPC integration different?
Jetpack doesn’t send a username and password through any API to connect your site to WordPress.com. Our connection method is different in that we use a token-based system, similar to OAuth. This means that instead of sending a username and password, Jetpack generates a special string called an API signature, which gets attached to all API requests. Before sending the request, the API signature gets encoded using a secret token.
Think of the secret token like a cipher used to turn a message into a secret code. First, the message sender uses that cipher to turn the message into a secret code. Then the message receiver, who also has access to the cipher, can use it to translate the secret code back into the original message. Jetpack’s usage of XML-RPC works very similarly.
The only place that the secret token (a.k.a. the cipher) exists is on your Jetpack site and on the WordPress.com server that your site communicates with. This means that even if the API request were to be intercepted along the way, there wouldn’t be a way to decode the API signature because decoding that API signature requires access to the secret token.
This approach is considered universally safe and reliable, and is in use by other API standards, including REST.
What benefits are there to using XML-RPC over the REST API?
For Jetpack, it’s all about stability. Continuing to use XML-RPC means that users who are on older versions of Jetpack can still leverage the features of Jetpack. While we strongly recommend keeping your Jetpack plugin up to date, we understand that isn’t always possible. We don’t want to abandon our users on older versions of the plugin, so we intend to stick with XML-RPC for as long as we can.
If at some point in the future we have to make the transition to the REST API, we will communicate this transition to our users prior to the switch.