BlogRiffer 2.13.4 Works Around HostGator XML-RPC Issue
by Antone Roundy | Blog Riffer
- Added a workaround for a HostGator security setting that was preventing BlogRiffer from publishing to WordPress and other blogs that use the MetaWeblog protocol. (More on that below).
- The Blogger and Tumblr plugins now display a useful error message and instructions when the post editor is opened if BlogRiffer has been connected to a Blogger or Tumblr account, but no blogs have been selected.
- The latest version of CaRP Evolution's YouTube plugin is included in this version, though the changes from the previous version don't affect BlogRiffer.
How to Upgrade
To upgrade from version 2.13.3, upload the following files, overwriting the old files.
It appears that HostGator has blocked scripts running on their servers from making HTTP connections to files named "xmlrpc.php". Apparently, the purpose of this is to prevent people from using their servers to attempt to crack other peoples' WordPress blogs. (It seems there may have been a problem with that a while back.)
As a result, when BlogRiffer is installed on at least some HostGator servers, it is unable to talk to WordPress blogs using the MetaWeblog protocol (WordPress's MetaWeblog protocol endpoint is accessed using a file named "xmlrpc.php".)
If this issue is preventing you from using the MetaWeblog protocol, here's how to work around it.
- First, you'll need to add a "wrapper script" to your WordPress blog. To do that, create a PHP file in your WordPress directory with a name other than "xmlrpc.php" (for example, you might call it "xmlrpc-wrapper.php") with the following contents:
<?php include 'xmlrpc.php'; ?>
- Next, when adding your blog to BlogRiffer, enter the URL of your wrapper file instead of the URL of "xmlrpc.php".
- Also, check the checkbox labelled "Do not allow override of XML-RPC Server URL". (If this checkbox isn't checked, WordPress will tell BlogRiffer to post to xmlrpc.php instead of to your wrapper file, so you'll be able to add your blog, but publishing to it won't work.)
NOTE: doing this does not make your blog less secure. Inbound connections to xmlrpc.php from other servers are not being blocked. So the only effect of adding the wrapper script is to make it possible for HostGator-hosted scripts to connect to your blog, which still requires a username and password, just like it normally does.
The only way this could make it easier for someone to attack your blog is if they already knew that you had created the wrapper script, knew the name of your wrapper script, and were attempting to attack your blog from another HostGator-hosted website. Even then, they'd have to discover your username and password. If they could do all that, it would be easier for them to simply look up your MySQL username and password in your WordPress configuration file and inject a user account into your WordPress blog.