WordPress is not only a simple blogging tool but one of the most useful CMS to manage the website content. There are several reasons for WordPress popularity but one of them is the feature provided by such a very small blogging tool. XML-RPC is one of them. If you have created your website using WordPress and want any of your remote application to interact then you can do it via the XML-RPC method. WordPress has exposed various RPC method which you can invoke from other systems. Also, you can write your own custom XML-RPC method in your WordPress. In this tutorial, we will explore various aspect of WordPress XML-RPC API. We will also check how to call WordPress XML-RPC API method from your PHP Code. We will also explore on how to write own RPC method in WordPress.
What is XML-RPC
XML-RPC is a way to communicate with other systems, or in other words, we can say that XML-RPC is a mechanism to exchange information with the remote system. In XML-RPC XML stand for eXtensible Markup Language, and RPC stands for Remote Procedure call.
With the help of XML-RPC, we can remotely call any procedure available in any system. In XML-RPC we do nothing but hit or call remote server URL with some specific information which is accepted by the system. In XML-RPC information is send to remote server in XML format.
You can read full specification of XML-RPC on scripting.com.
WordPress provides a long list of XML-RPC API which you can call from any remote system.
We can use XML-RPC in most of the programming language like PHP, Java, Python etc.
How to Call WordPress XML-RPC API
Calling WordPress XML API is very easy. All we need to do is to POST data WordPress XML-RPC URL with API call detail in XML.
Calling WordPress XML-RPC API using command line curl utility:
First we need to create an XML file with parameters which we will post on XML-RPC URL. For example, to get all authors of your website you need to pass below information in your XML
- Blog ID
- Username
- Password
So below is the XML i have saved below XML on location /tmp/test.txt
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getAuthors</methodName>
<params>
<param><value>1</value></param>
<param><value>admin</value></param>
<param><value>admin</value></param>
</params>
</methodCall>
Now we need to post the above XML file to the WordPress XML-RPC endpoint. I have installed my wordpress on http://localhost/wordpress so for me the endpoint URL is http://localhost/wordpress/xmlrpc.php. So below is the URL call for getAuthors RPC method:
curl --data @/tmp/test.txt http://localhost/wordpress/xmlrpc.php
Output for my call is below with 2 user information:
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
<param>
<value>
<array><data>
<value><struct>
<member><name>user_id</name><value><string>1</string></value></member>
<member><name>user_login</name><value><string>admin</string></value></member>
<member><name>display_name</name><value><string>admin</string></value></member>
</struct></value>
<value><struct>
<member><name>user_id</name><value><string>2</string></value></member>
<member><name>user_login</name><value><string>test</string></value></member>
<member><name>display_name</name><value><string>test user</string></value></member>
</struct></value>
</data></array>
</value>
</param>
</params>
</methodResponse>
Calling WordPress XML-RPC API using using PHP script:
Let us take the same above example of RPC method and call form PHP script:
<?php
$request = xmlrpc_encode_request("wp.getAuthors", array(1, 'admin', 'admin'));
$context = stream_context_create(array('http' => array(
'method' => "POST",
'header' => "Content-Type: text/xml",
'content' => $request
)));
$file = file_get_contents("http://localhost/wordpress/xmlrpc.php", false, $context);
$response = xmlrpc_decode($file);
if ($response && xmlrpc_is_fault($response)) {
trigger_error("xmlrpc: $response[faultString] ($response[faultCode])");
} else {
print_r($response);
}
Above XML-RPC method consumption call is using PHP xmlrpc extension which is currently experimental. In production, use code use at your own risk.
Create WordPress XML-RPC API Method
WordPress also provides method to extend its RPC framework so that you can create your own XML-RPC method in your WordPress. In this section we will explore on how to create your own XML-RPC API method in WordPress. For XML-RPC wordpress provides very great flexibility to extends the RPC system so that you can define your own function.
Let us add an RPC method in our WordPress using plugin.
<?php
/*
Plugin Name: RPC Test
Description: XML RPC Test
Author: Ankur
Version: 1.6
Author URI: https://www.techflirt.com
*/
//real RPC MEthod
function multiply_number( $args ) {
$number1 = (int) $args[0];
$number2 = (int) $args[1];
return $number1 * $number2;
}
//function called on hook
function techflirt_new_rpc_method( $methods ) {
$methods['techflirt.multiply_number'] = 'multiply_number';
return $methods;
}
//Filter to add XML RPC Method
add_filter( 'xmlrpc_methods', 'techflirt_new_rpc_method');
Above code will create a method multiply_number in namespace techflirt. Method multiply_number will accept two parameter and multiply it and returns. But whats about security? techflirt.multiply_number can be called by anyone.
Add authentication method in your RPC :
<?php
/*
Plugin Name: RPC Test Secure
Description: XML RPC Test Secure
Author: Ankur
Version: 1.6
Author URI: https://www.techflirt.com
*/
//real RPC MEthod
function get_all_post( $args ) {
global $wp_xmlrpc_server;
$wp_xmlrpc_server->escape( $args );
$blog_id = $args[0];
$username = $args[1];
$password = $args[2];
if ( ! $user = $wp_xmlrpc_server->login( $username, $password ) ){
return $wp_xmlrpc_server->error;
}
return get_pages();
}
//function called on hook
function techflirt_new_secure_rpc_method( $methods ) {
$methods['techflirt.getAllPost'] = 'get_all_post';
return $methods;
}
//Filter to add XML RPC Method
add_filter( 'xmlrpc_methods', 'techflirt_new_secure_rpc_method');
You can also remove any WordPress XML-RPC API using filter xmlrpc_methods for example:
//function called on hook
function techflirt_new_secure_rpc_method( $methods ) {
unset($methods['techflirt.getAllPost']);
return $methods;
}
//Filter to add XML RPC Method
add_filter( 'xmlrpc_methods', 'techflirt_new_secure_rpc_method');
You can also create your own XML-RPC system and hook to wordpress using filter wp_xmlrpc_server_class.
Existing XML-RPC Api method in Worpress
In WordPress pre-built class which handle default XML-RPC function is wp_xmlrpc_server. Class wp_xmlrpc_server is available in file wp-includes/class-wp-xmlrpc-server.php. Also object of wp_xmlrpc_server is available in global variable $wp_xmlrpc_server. Property $wp_xmlrpc_server->methods contains all prebuit worpress xml-rpc api method. Below is the code snippet which contains name defination of all pre-built RPC API in WordPress:
$this->methods = array(
// WordPress API
'wp.getUsersBlogs' => 'this:wp_getUsersBlogs',
'wp.newPost' => 'this:wp_newPost',
'wp.editPost' => 'this:wp_editPost',
'wp.deletePost' => 'this:wp_deletePost',
'wp.getPost' => 'this:wp_getPost',
'wp.getPosts' => 'this:wp_getPosts',
'wp.newTerm' => 'this:wp_newTerm',
'wp.editTerm' => 'this:wp_editTerm',
'wp.deleteTerm' => 'this:wp_deleteTerm',
'wp.getTerm' => 'this:wp_getTerm',
'wp.getTerms' => 'this:wp_getTerms',
'wp.getTaxonomy' => 'this:wp_getTaxonomy',
'wp.getTaxonomies' => 'this:wp_getTaxonomies',
'wp.getUser' => 'this:wp_getUser',
'wp.getUsers' => 'this:wp_getUsers',
'wp.getProfile' => 'this:wp_getProfile',
'wp.editProfile' => 'this:wp_editProfile',
'wp.getPage' => 'this:wp_getPage',
'wp.getPages' => 'this:wp_getPages',
'wp.newPage' => 'this:wp_newPage',
'wp.deletePage' => 'this:wp_deletePage',
'wp.editPage' => 'this:wp_editPage',
'wp.getPageList' => 'this:wp_getPageList',
'wp.getAuthors' => 'this:wp_getAuthors',
'wp.getCategories' => 'this:mw_getCategories', // Alias
'wp.getTags' => 'this:wp_getTags',
'wp.newCategory' => 'this:wp_newCategory',
'wp.deleteCategory' => 'this:wp_deleteCategory',
'wp.suggestCategories' => 'this:wp_suggestCategories',
'wp.uploadFile' => 'this:mw_newMediaObject', // Alias
'wp.deleteFile' => 'this:wp_deletePost', // Alias
'wp.getCommentCount' => 'this:wp_getCommentCount',
'wp.getPostStatusList' => 'this:wp_getPostStatusList',
'wp.getPageStatusList' => 'this:wp_getPageStatusList',
'wp.getPageTemplates' => 'this:wp_getPageTemplates',
'wp.getOptions' => 'this:wp_getOptions',
'wp.setOptions' => 'this:wp_setOptions',
'wp.getComment' => 'this:wp_getComment',
'wp.getComments' => 'this:wp_getComments',
'wp.deleteComment' => 'this:wp_deleteComment',
'wp.editComment' => 'this:wp_editComment',
'wp.newComment' => 'this:wp_newComment',
'wp.getCommentStatusList' => 'this:wp_getCommentStatusList',
'wp.getMediaItem' => 'this:wp_getMediaItem',
'wp.getMediaLibrary' => 'this:wp_getMediaLibrary',
'wp.getPostFormats' => 'this:wp_getPostFormats',
'wp.getPostType' => 'this:wp_getPostType',
'wp.getPostTypes' => 'this:wp_getPostTypes',
'wp.getRevisions' => 'this:wp_getRevisions',
'wp.restoreRevision' => 'this:wp_restoreRevision',
// Blogger API
'blogger.getUsersBlogs' => 'this:blogger_getUsersBlogs',
'blogger.getUserInfo' => 'this:blogger_getUserInfo',
'blogger.getPost' => 'this:blogger_getPost',
'blogger.getRecentPosts' => 'this:blogger_getRecentPosts',
'blogger.newPost' => 'this:blogger_newPost',
'blogger.editPost' => 'this:blogger_editPost',
'blogger.deletePost' => 'this:blogger_deletePost',
// MetaWeblog API (with MT extensions to structs)
'metaWeblog.newPost' => 'this:mw_newPost',
'metaWeblog.editPost' => 'this:mw_editPost',
'metaWeblog.getPost' => 'this:mw_getPost',
'metaWeblog.getRecentPosts' => 'this:mw_getRecentPosts',
'metaWeblog.getCategories' => 'this:mw_getCategories',
'metaWeblog.newMediaObject' => 'this:mw_newMediaObject',
// MetaWeblog API aliases for Blogger API
// see http://www.xmlrpc.com/stories/storyReader$2460
'metaWeblog.deletePost' => 'this:blogger_deletePost',
'metaWeblog.getUsersBlogs' => 'this:blogger_getUsersBlogs',
// MovableType API
'mt.getCategoryList' => 'this:mt_getCategoryList',
'mt.getRecentPostTitles' => 'this:mt_getRecentPostTitles',
'mt.getPostCategories' => 'this:mt_getPostCategories',
'mt.setPostCategories' => 'this:mt_setPostCategories',
'mt.supportedMethods' => 'this:mt_supportedMethods',
'mt.supportedTextFilters' => 'this:mt_supportedTextFilters',
'mt.getTrackbackPings' => 'this:mt_getTrackbackPings',
'mt.publishPost' => 'this:mt_publishPost',
// PingBack
'pingback.ping' => 'this:pingback_ping',
'pingback.extensions.getPingbacks' => 'this:pingback_extensions_getPingbacks',
'demo.sayHello' => 'this:sayHello',
'demo.addTwoNumbers' => 'this:addTwoNumbers'
);
Disabling or Protecting WordPress XML-RPC method
As you have seen that XML-RPC can be called several time using the script very easily, also WordPress XML-RPC has some methods like delete post or delete category which are very sensitive. So protection of the XML-RPC is always advisable. Also if you do not want anyone to use XML-RPC then please make it unavailable for word.
Block/disable your wordpress xml-rpc api : Please enter following line in your wordpress .htaccess file to block XML-RPC call in your site:
<Files xmlrpc.php>
order deny,allow
deny from all
allow from none
</Files>
Allowing XML-RPC call from specific IP
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
The post WordPress XML-RPC API Tutorial & Example appeared first on TechFlirt.