Tuesday, September 16, 2008

Wordpress security

I wrote in a rush about testing the blog "desktop clients" last week and I think I didn't make it clear about why I was doing all that testing and the results from them. OK, I'll try to summarize it.

My blogs are running on Wordpress on a regular hosting service. I have my own domain names, but I don't have and I don't want to spend money on digital certificates for them. So, if I want to access my websites over SSL I need to use a "generic" domain name from the service provider, like mydomain.sslpowered.com or something like that. The problem with that is the way that Wordpress handles the URLs you are using. If my website is on www.securitybalance.com I can try to access the admin part of wordpress by another URL, like securitybalance.sslpowered.com. So, how can I post to my blog over a protected connection?

I was reading a lot about some plugins for Wordpress, some mod_rewrite stuff, and other magic stuff. I wasn't feeling very confident about any of those. Then I learned about the XML-RPC interface for Wordpress. It is a webservice used by several platforms as an standard API for blogging. I noticed that the "blogging desktop clients", applications used for those that want to write their posts off-line to upload them later, usually access the blog using that API. What if I tried to call that webservice (wordpress_blog/xmlrpc.php) using my SSL URL? Well, it turns out that it works! I just had to find a good desktop blogging client that could satisfy some personal requirements (running from my portableapps thumb drive), and I end up with ScribeFire. It goes into Firefox as an add-in, what makes it even easier to use. I tried Zoundry first, but it is vulnerable to a man-in-the-middle attack, as it can't recognize a bogus certificate.

So, the tip for wordpress bloggers is: Use ScribeFire with a SSL protected URL for your XML-RPC API instead of posting through the regular wp-admin interface.