Skip to main content

Hey there, 👋

I hope you are all well. I figured this deserves a post, so here I am.

I've only recently discovered Zapier and the insane possibilities it affords, which is fantastic in and of itself. However, I feel like some pre-built connections are dangerous, such as the one I'll be covering in this post. They shouldn't be the standard solution for anyone not savvy enough to know it might do some serious harm.

In this scenario, I'm talking about the WordPress Integration offered by Zapier. Personally, I was hoping to connect Zapier to my blog in the hopes of setting up some automation for sharing new posts to various social feeds. So, I found the app on Zapier, and there's a template for that, cool right? We will see...

So I set about connecting Zapier and WordPress together. It asks for four things primarily.

  1. Download the Zapier Plugin -> Link Here.
  2. Include your root URL without any slugs -> https://www.example.com/
  3. Include your WordPress username or email -> John Smith
  4. Include the password you use to sign in. -> *******

And boom! - Supposedly, except I ran into the following error;

Authentication failed: WordPress ran into an issue. Error code 403:

Uhuh, typical. (At least in my experience.) nothing ever works the first time, right?

So, I ventured over to community.zapier.com and found a similar issue another Zapier user was facing, linked here. The user expresses that they are also experiencing a 403 error, and they've tried a bunch of fixes, but nothing seems to do the trick.

Support does step in and offer a solution that highlights the precise area I take folly with. Specifically, We need the XML-RPC file to be active; that is how we connect to your WordPress site.

Why do I pick a fight with this part in particular? Well, that's because the XML-RPC file is a relic of the B2 Blogging software, which was forked to make WordPress back in 2003. And it's still there, even though XML-RPC is mainly outdated.

The REST API has superseded XML-RPC. You should disable xmlrpc.php on your site because it introduces security vulnerabilities and can be the target of attacks.

You can read more on this topic on kinsta. Link here.

So why is a Zapier still peddling an archaic solution to a modern problem with modern tools at their disposal? - I suppose that is the question I have in this long post. I'd be eager to hear why XML-RPC is explicitly used and when they plan on updating the process.

I think it's wrong to use such an approach, primarily since 43% of the web uses WordPress. Most WordPress users don't really understand the dangers of using depreciated solutions. I think Zapier also has a responsibility to protect its users from that.

Until then, I think I'll steer clear of connecting my WordPress site to Zapier, at least until they modernise this template.

So, yeah. Sorry about the rant. Felt like I needed to vent a little. 😅

-B

Hi @Beaniie 

Thanks for sharing.

FYI: Most apps on Zapier are built and maintained by the app developers themselves, altho I’m unsure who owns the WordPress Zap integration (WordPress or Zapier).

Best to submit feedback and feature requests via a ticket to Zapier Support to be logged: https://zapier.com/app/get-help


Hi @Beaniie!

Thanks for taking the time to write up such a thoughtful post!

I did some digging and it appears this response may have been in response to the Legacy version of our WordPress app, which does use a XML-RPC connection. The newer version of our WordPress app does use REST API! That said, it requires a plugin in order to use the integration, which means only users on a paid plan (one that allows for plugin installation) have access. The Legacy version, while it does use an XML-RPC connection, doesn’t have this requirement and can be used by anyone including those using the WordPress hosted accounts.

All of this to say, we’ve kept both versions of the app available so users can choose the integration that works best for them!

I hope the context helps! We appreciate you reaching out. 🤗


Hi @Beaniie!

Thanks for taking the time to write up such a thoughtful post!

I did some digging and it appears this response may have been in response to the Legacy version of our WordPress app, which does use a XML-RPC connection. The newer version of our WordPress app does use REST API! That said, it requires a plugin in order to use the integration, which means only users on a paid plan (one that allows for plugin installation) have access. The Legacy version, while it does use an XML-RPC connection, doesn’t have this requirement and can be used by anyone including those using the WordPress hosted accounts.

All of this to say, we’ve kept both versions of the app available so users can choose the integration that works best for them!

I hope the context helps! We appreciate you reaching out. 🤗

Hi @christina.d,

Thanks for taking the time to do a little more digging and sharing your findings; I appreciate it. 👌

However, while I agree with supporting legacy solutions, I still strongly feel that keeping robust security solutions behind a paywall is a little inappropriate, especially for a platform with such a significant user base as Zapier.

As I eluded to in my post, most WordPress users aren't knowledgeable enough to know that the legacy solution you are pushing is open to attacks. At the very least, a disclaimer should be added during the set-up process, detailing the dangers of using such a process.

If there is a more up to date REST solution, I will do a little digging myself and take a look. Thanks for the update. 😁👍

-B


Most definitely, @Beaniie. Appreciate you being open to having a dialogue and sharing your candid thoughts! 

I did want to mention the paid plans to install plugins are a WordPress requirement, rather than a Zapier one. That said, the disclaimer is a valid recommendation and I’m happy to pass it along to the team!

Please continue to let us know if you have any questions or feedback. We’re always happy to help. 🙂