Sadly, blogging APIs have never been the first-class citizens in blog engines. Sure, most people just use web interfaces to post to their blogs, but there are a lot of people who prefer desktop applications like BlogJet.
WordPress 2.6 is going to join Movable Type in discriminating against blog clients—they are going to disable XML-RPC APIs by default. Users will have to enable them manually. (Movable Type requires you to use special API key instead of your password.)
Daniel Jalkut, developer of MarsEdit, the excellent blog client for Mac OS X, has a good post on this in his blog:
In my opinion, an entire class of problems with WordPress (and other blogging systems) stems from this interface bifurcation. Establishing a single interface to WordPress would be comparable to the “pin code + card” interface at your bank. You pass through it by car, on foot, and even at the counter when they ask you to swipe before doing any transaction. If you’ve only got one “real API” that touches the critically important data, then you’ve only got one door to secure. Furthermore, when all views into the blog are required to share the same API, suddenly none of them is deprived of functionality that the other has. Imagine if the API that the web interface uses to access all features of a blog could be just as easily employed by MarsEdit or any other application you authorized. The end result would be lots less work “playing catch up” for the XMLRPC and Atom developers, and more time focusing on innovative and cool features for all blog users.
Read it now and come back.
Did I mention that most blogging clients (except for one) are made by tiny software companies, and that they spend a huge amount of time answering to support emails from their users who have various problems configuring their server software?
We do our best to make our software as easy to configure and use as possible: just enter your blog address, login, and password, and let the program do configuration as needed. Disabling API by default will throw this work away; it's a way to increase the number of support requests, therefore, the amount of time we spend on support rather than perfecting our software.
Time to move on and develop other types of software? Or make our own blog engines? ;)
P.S. I have nothing against WordPress developers; actually they have one of the best implementations of the API, and I want to thank them for their work. However, I do not understand how disabling API will increase WordPress security.
Update: WordPress developers handled this issue with care: WP provides a meaningful error message and instructions on how to enable API. Thanks again, guys!