Several Desktop blog-editing applications use XML-RPC to allow you to manage your WordPress blog. The one I use is MarsEdit.
XML-RPC functionality has been turned on by default since WordPress 3.5 so after updating to WordPress 3.8.2 I was not expecting MarsEdit to report that XML-RPC services are disabled on this site.
The WordPress 3.8.2 update release notes stated that the wp-includes/class-wp-xmlrpc-server.php file had been revised. So the culprit did appear to be the latest WordPress update. However, the developer of MarsEdit alluded to a plugin possibly causing the issue.
At first, I couldn’t think which of the plugins I use could potentially cause this error but after disabling all of this site’s plugins MarsEdit no longer threw the XML-RPC error. After enabling the plugins one-by-one the real culprit turned-out to be the 5.0.2 update to the Wordfence Security plugin that was released at roughly the same time as the WordPress 3.8.2 update.
The Wordfence Security plugin v5.0.2 has a new option under Wordfence > Options > Other Options named Disable XML-RPC for DDoS protection which is checked by default. Unchecking this option allows MarsEdit — and other applications relying on the XML-RPC interface — to communicate with WordPress once more.
Hat tip: Kelson for pointing out the Disable XML-RPC for DDoS protection option in Wordfence 5.0.2.
UPDATE 11th April 2014: Wordfence Security 5.0.3 has been released which no longer includes the option to disable XML-RPC.
Sorry about this, we’ve pulled this feature because it caused a lot of problems. We’ve also posted a blog entry here:
Mark Maunder – Wordfence founder.
Thanks for the timely update and I appreciate you taking the time to respond.