Disabling XML-RPC blocks Zapier

  • Resolved Jory Hogeveen

    (@keraweb)


    2 days, 9 hours ago

    There are already many topics on Zapier blocks when WF Login Security is used.

    The current issue I’m facing is with the “Disable XML-RPC authentication” setting.
    Even though Zapier states it only uses the REST API still this setting appears to block Zapier from connecting to WordPress.
    I did a quick search through the plugin and apparently there is only one action hooked to wfls_xml_rpc_blocked and that is wordfence::checkSecurityNetwork() which checks if the IP is blocked. I can verify that this is also not the case.

    For any reCaptcha users out there, please note that I added a filter on all REST requests that when the Zapier user agent makes a request I disable reCaptcha so Zapier won’t be flagged as a bot (this is working nicely).

    I’d really like to have XML-RPC blocked but cannot find the cause of Zapier not working anymore if it is.
    Any help on this matter would be very much appreciated.

    Cheers, Jory

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @keraweb,

    It may be worth getting a definitive answer from Zapier, although I found two separate answers updated relatively recently depending on what it is you’re connecting to. The following page was last updated 3 months ago stating that “In order to connect to WordPress, you must have XML-RPC functionality turned on.”: https://help.zapier.com/hc/en-us/articles/8495969550989-Common-Problems-with-WordPress

    Although when connecting to WooCommerce specifically they do seem to utilize the REST API, “Zapier provides integration with WooCommerce, but the technology used to connect to WooCommerce is not XML-RPC API. Zapier uses WooCommerce’s REST API to connect to the platform.”: https://community.zapier.com/how-do-i-3/does-zapier-uses-wordpress-s-xml-rpc-api-21942

    We already recommend leaving XML-RPC on if you need something that uses it like the WordPress app or Jetpack although I would imagine now Application Passwords are easily available some services may move over to this, or default to the REST API in the future.

    Many thanks,
    Peter.

    Thread Starter Jory Hogeveen

    (@keraweb)

    Hi @wfpeter

    We already use Application Passwords in Zapier so I was under the impression that XML-RPC and REST got mixed up in the block.
    Though now I understand that Zapier actually still uses XML-RPC for their WordPress core connection through the first link you’ve posted. I was sure they didn’t so sorry about this post.

    I might solve it similarly as reCaptcha and only allow XML-RPC when Zapier tries to connect.

    Thank you for the prompt reply, greatly appreciated.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.