Title: Secure XML-RPC
Author: Eric Mann
Published: <strong>2014 年 1 月 1 日</strong>
Last modified: 2014 年 8 月 30 日

---

搜索插件

![](https://ps.w.org/secure-xml-rpc/assets/banner-772x250.png?rev=975920)

**该插件尚未通过WordPress的最新3个主要版本进行测试**。 当与较新版本的WordPress一起
使用时，可能不再受到维护或支持，并且可能会存在兼容性问题。

![](https://ps.w.org/secure-xml-rpc/assets/icon-256x256.png?rev=975920)

# Secure XML-RPC

 作者：[Eric Mann](https://profiles.wordpress.org/ericmann/)

[下载](https://downloads.wordpress.org/plugin/secure-xml-rpc.1.0.0.zip)

 * [详情](https://cn.wordpress.org/plugins/secure-xml-rpc/#description)
 * [评价](https://cn.wordpress.org/plugins/secure-xml-rpc/#reviews)
 *  [安装](https://cn.wordpress.org/plugins/secure-xml-rpc/#installation)
 * [开发进展](https://cn.wordpress.org/plugins/secure-xml-rpc/#developers)

 [支持](https://wordpress.org/support/plugin/secure-xml-rpc/)

## 描述

Rather than sending usernames and passwords in plain text with every request, we’re
going to use a set of public/secret keys to hash data and authenticate instead.

On your WordPress profile, you will see a new “Remote Publishing Permissions” section
listing out the applications that have permission to publish, along with their public
and secret keys.

New applications can be added whenever you want. You can also change the names of
applications, or revoke publishing permission by deleting them.

### Additional Information

Lock graphic designed by Scott Lewis from the thenounproject.com

## 屏幕截图

[⌊The new Remote Publishing Permissions area of the user profile.⌉⌊The new Remote
Publishing Permissions area of the user profile.⌉[

The new Remote Publishing Permissions area of the user profile.

## 安装

#### Manual Installation

 1. Upload the entire `/secure-xml-rpc` directory to the `/wp-content/plugins/` directory.
 2. Activate Secure XML-RPC through the ‘Plugins’ menu in WordPress.

## 常见问题

  How do I use the new authorization?

The old username/password paradigm can still be used, but will result in a `X-Deprecated`
header being returned by the server.

From now on, you will send an `Authorization` header. This header will be the publishing
application’s public key, two pipe (`|`) characters, and a hash of the application’s
secret key concatenated with the body of the request.

  How do I generate the message hash?

Say your application has the following information:
 * Public Key: b730db0864b0d4453ba6a26ad6613cd4*
Secret Key: 7647a19f5bf3e9fd001419900ad48a54

And you want to make the following request (whitespace/indentation added for readability,
but is removed when calculating hashes):

    ```
    <?xml version="1.0"?>
    <methodCall>
      <methodName>wp.getPosts</methodName>
      <params>
        <param>
          <value><i4>1</i4></value>
        </param>
        <param>
          <value><string></string></value>
        </param>
        <param>
          <value><string></string></value>
        </param>
      </params>
    </methodCall>
    ```

Note that the second and third parameters (traditionally `username` and `password`)
are empty. Usernames and passwords can still be specified, but will result in the
server returning an `X-Deprecated` header.

Your Authorization header would thus become:

    ```
    b730db0864b0d4453ba6a26ad6613cd4||3fac15f99f7a178f922bcc4942e62dc9001b2a45118fc3a6f3aebd77d25f4d58
    ```

The second part of the header is generated in PHP by calculating:

    ```
    hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . hash( 'sha256', '7647a19f5bf3e9fd001419900ad48a54' . {request_body} ) )
    ```

WordPress will read the header and log you in as usual, but you never need to send
your password across the wire.

In this paradigm, application secret keys should _also_ be treated as passwords –
they are sensitive information!

  Why are we using the secret key twice?

Some developers raised concerns about [length extension attacks](https://blog.whitehatsec.com/hash-length-extension-attacks/)
in previous editions of the plugin. While length extension isn’t strictly necessary
when dealing with XML-based messaging, a double hash helps end the discussion around
potentially-related vulnerabilities.

The double-hash is similar to but simpler than HMAC and is fairly easy to implement
in any programming language. Just note, PHP’s `hash()` function returns a base64-
encoded string, not a raw hash of the data passed in.

  Do I have to copy/paste my application keys into remote systems?

Not necessarily.

The latest version of the plugin adds a new XML-RPC method to the system that allows
for the generation of user-specific application keys remotely. _Please only ever
call this method over a secure/trusted network connection_ when setting up an application
for the first time.

## 评价

![](https://secure.gravatar.com/avatar/06288c97f5f235cc2685c817994161456093c02621eaa5ce0856b8ee3fab3299?
s=60&d=retro&r=g)

### 󠀁[Secure fail ?](https://wordpress.org/support/topic/secure-fail/)󠁿

 [Anonymous User 13245058](https://profiles.wordpress.org/anonymized-13245058/) 
2016 年 9 月 3 日

This plugin has been hacked on a client website…

![](https://secure.gravatar.com/avatar/c0c5b4ff7ab8a4de9e2651d48d0fd7d2ebd77c5ba1bc9bf67f58b2d9ea0c2341?
s=60&d=retro&r=g)

### 󠀁[Very useful plugin](https://wordpress.org/support/topic/very-useful-plugin-440/)󠁿

 [benjib0t](https://profiles.wordpress.org/benjib0t/) 2017 年 2 月 7 日

 [ 阅读所有3条评价 ](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/)

## 贡献者及开发者

「Secure XML-RPC」是开源软件。 以下人员对此插件做出了贡献。

贡献者

 *   [ Eric Mann ](https://profiles.wordpress.org/ericmann/)

[帮助将「Secure XML-RPC」翻译成简体中文。](https://translate.wordpress.org/projects/wp-plugins/secure-xml-rpc)

### 对开发感兴趣吗?

您可以[浏览代码](https://plugins.trac.wordpress.org/browser/secure-xml-rpc/)，查看
[SVN仓库](https://plugins.svn.wordpress.org/secure-xml-rpc/)，或通过[RSS](https://plugins.trac.wordpress.org/log/secure-xml-rpc/?limit=100&mode=stop_on_copy&format=rss)
订阅[开发日志](https://plugins.trac.wordpress.org/log/secure-xml-rpc/)。

## 更新日志

#### 1.0.0

 * New: Add a custom RPC method for generating application keys remotely.
 * Dev change: Move all functional implementations inside our pseudo-namespace.
 * Dev change: Use a constant-time string comparison method for better security 
   and less data leakage during authentication.
 * Dev change: Use a double-hash to prevent any potential length-extension attacks.

#### 0.1.0

 * First release

## 额外信息

 *  版本 **1.0.0**
 *  最后更新：**12 年前**
 *  活跃安装数量 **50+**
 *  WordPress 版本 ** 3.8 或更高版本 **
 *  已测试的最高版本为 **4.0.38**
 *  语言
 * [English (US)](https://wordpress.org/plugins/secure-xml-rpc/)
 * 标签
 * [authentication](https://cn.wordpress.org/plugins/tags/authentication/)[oauth](https://cn.wordpress.org/plugins/tags/oauth/)
   [security](https://cn.wordpress.org/plugins/tags/security/)[xmlrpc](https://cn.wordpress.org/plugins/tags/xmlrpc/)
 *  [高级视图](https://cn.wordpress.org/plugins/secure-xml-rpc/advanced/)

## 评级

 3.7 星（最高 5 星）。

 *  [  2 条 5 星评价     ](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/?filter=5)
 *  [  0 条 4 星评价     ](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/?filter=4)
 *  [  0 条 3 星评价     ](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/?filter=3)
 *  [  0 条 2 星评价     ](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/?filter=2)
 *  [  1 条 1 星评价     ](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/#new-post)

[查看全部评论](https://wordpress.org/support/plugin/secure-xml-rpc/reviews/)

## 贡献者

 *   [ Eric Mann ](https://profiles.wordpress.org/ericmann/)

## 支持

有话要说吗？是否需要帮助？

 [查看支持论坛](https://wordpress.org/support/plugin/secure-xml-rpc/)

## 捐助

您愿意支持这个插件的发展吗?

 [ 捐助此插件 ](http://wordpress.org/plugins/secure-xmlrpc)