From a41f27a7f9ab7c19ac4b4f9225e70d8ee1d1201b Mon Sep 17 00:00:00 2001
From: Drew Jaynes <info@drewapicture.com>
Date: Thu, 17 Mar 2016 03:53:26 +0000
Subject: [PATCH] Docs: Clarify documentation for the `xmlrpc_enabled` filter
 to better explain that its scope only extends to methods requiring
 authentication.

When the `xmlrpc_enabled` filter was initially introduced in [21509], it was effectively intended to replace the `enable_xmlrpc' UI option, which only controlled whether authenticated XML-RPC methods were enabled, such as for publishing actions. This change clarifies the expected behavior and adds information about ways to more granularly control XML-RPC method and request behavior with related hooks.

Part props mensmaximus.
See #21509. Fixes #36055.

Built from https://develop.svn.wordpress.org/trunk@37025


git-svn-id: http://core.svn.wordpress.org/trunk@36992 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-xmlrpc-server.php | 17 +++++++++++++++--
 wp-includes/version.php                |  2 +-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php
index c331591dcf..c035bb57b9 100644
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@@ -247,9 +247,22 @@ class wp_xmlrpc_server extends IXR_Server {
 		}
 
 		/**
-		 * Filter whether XML-RPC is enabled.
+		 * Filter whether XML-RPC methods requiring authentication are enabled.
 		 *
-		 * This is the proper filter for turning off XML-RPC.
+		 * Contrary to the way it's named, this filter does not control whether XML-RPC is *fully*
+		 * enabled, rather, it only controls whether XML-RPC methods requiring authentication - such
+		 * as for publishing purposes - are enabled.
+		 *
+		 * Further, the filter does not control whether pingbacks or other custom endpoints that don't
+		 * require authentication are enabled. This behavior is expected, and due to how parity was matched
+		 * with the `enable_xmlrpc` UI option the filter replaced when it was introduced in 3.5.
+		 *
+		 * To disable XML-RPC methods that require authentication, use:
+		 *
+		 *     add_filter( 'xmlrpc_enabled', '__return_false' );
+		 *
+		 * For more granular control over all XML-RPC methods and requests, see the {@see 'xmlrpc_methods'}
+		 * and {@see 'xmlrpc_element_limit'} hooks.
 		 *
 		 * @since 3.5.0
 		 *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 066d334dc4..048eb805e1 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.5-beta3-37024';
+$wp_version = '4.5-beta3-37025';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.