Is back-end access not required for an app to post to my blog?

Question

I've recently installed a couple of apps (WordPress and BlogPad Pro) and I'm a bit surprised to see that they can indeed post to my blogs, even though I haven't given them the renamed login and wp-admin pages that I set up through iThemes Security.

My understanding was that posting could only happen "through" the back end of the blog; i.e. if you couldn't log into the blog through the login page, you couldn't post to the blog either. But evidently, with my username and password, these apps can post to the blog.

How does the app know to get "around" the obscured login page to post to the blog?

Answer 1

Clients typically use XML-RPC Support.

If you take a look at your page source you will likely see endpoint declaration:

<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://example.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://example.com/wp-includes/wlwmanifest.xml" />

Apps are using this information and your credentials to access the site. In this way they can either discover location of admin or work without it altogether via XML-RPC.

Answer 2

No, it's not required. WordPress support this kind of remote publishing through the XML-RPC interface of your blog:

             XML-RPC calls
      APP ------------------> Your Blog (example.com/xmlrpc.php)

The app isn't accessing your blog through the usual wp-login.php door, instead it's talking to your xmlprc.php file in the language of XML.

The the xmlrpc.php file is located in your WordPress root folder.

If you want to turn off the XML-RPC access, it's possible with this single line of code:

add_filter( 'xmlrpc_enabled', '__return_false' );

You can read more about this in the Codex.