Second Level Of Security

May 20th, 2016

An issue MarsEdit users are running into with increased frequency is a challenge, when trying to connect to a blog, for a “second level of security” password. This panel is usually only displayed when a blog has been configured with an HTTP Basic protection to ensure it is completely private:


However it is recently being erroneously displayed for many users who have no such (intentional) protection set up.

The problem is rooted in web hosting administrators increasingly restricting access to the interface that MarsEdit uses to connect to blogs, called the “API.” For example, on a typical WordPress blog the API will usually be located by a URL like:

Many web hosting teams have instituted a blanket ban on accessing URLs like these, and the way they configure the host causes an error code to be returned to MarsEdit that it mistakes for a “second level of security.”

The solution to this problem is to contact your web hosting team and ask them to explicitly whitelist access to the API Endpoint URL (you can find yours in MarsEdit’s blog settings) for your blog. It may help to provide your web hosting team a log of the conversation between MarsEdit and your blog:

  1. Open MarsEdit
  2. Select Window -> Network Log from the menu bar.
  3. Clear the log if it’s not already empty.
  4. Try to refresh the blog again from MarsEdit.
  5. Copy the network log contents.

Once they have fixed the configuration of your server, the annoying security request should stop appearing in MarsEdit.

2 Responses to “Second Level Of Security”

  1. David Blatner Says:

    Unfortunately, hosts may not be comfortable with completely opening access to XMLRPC because of security exploits. I got around this by agreeing to use .htaccess (or nginx at WPengine) to limit access to xmlrpc to only specific IP addresses or IP ranges.

  2. Daniel Jalkut Says:

    Hi David – yes, many hosts have reacted to concerns about XMLRPC.php security. It’s mostly based, by my understanding, on outdated issues with XMLRPC, but as the interface is not necessary to the vast majority of WordPress users, I can see why they want to err on the side of caution.

Comments are Closed.

Follow the Conversation

Stay up-to-date by subscribing to the Comments RSS Feed for this entry.