Add configuration for Wordpress XML-RPC endpoint

Signed-off-by: Kim Oliver Drechsel <[email protected]>

bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh

@@ -92,6 +92,7 @@ wordpress_validate() {
     check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP"
     check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
     check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
+    check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
 
     # Multisite validations
     check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"
@@ -226,6 +227,12 @@ wordpress_initialize() {
                 WORDPRESS_DATA_TO_PERSIST+=" ${htaccess_file}"
             fi
         fi
+    else
+        if is_boolean_yes "$WORDPRESS_HTACCESS_OVERRIDE_NONE"; then
+            local htaccess_file="${APACHE_HTACCESS_DIR}/wordpress-htaccess.conf"
+        else
+            local htaccess_file="${WORDPRESS_BASE_DIR}/.htaccess"
+        fi
     fi
 
     # Check if WordPress has already been initialized and persisted in a previous run
@@ -351,6 +358,7 @@ wordpress_initialize() {
             # Enable friendly URLs / permalinks (using historic Bitnami defaults)
             wp_execute rewrite structure '/%year%/%monthnum%/%day%/%postname%/'
             ! is_empty_value "$WORDPRESS_SMTP_HOST" && wordpress_configure_smtp
+            ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
         else
             info "An already initialized WordPress database was provided, configuration will be skipped"
             wp_execute core update-db
@@ -583,6 +591,29 @@ if ( !defined( 'WP_CLI' ) ) {
 EOF
 }
 
+########################
+# Disable access to the WordPress XML-RPC endpoint
+# Globals:
+#   *
+# Arguments:
+#   $1 - path to .htaccess file
+# Returns:
+#   None
+#########################
+wordpress_disable_xmlrpc_endpoint() {
+    local -r htaccess_file="${1:?missing htaccess file path}"
+    [[ ! -f "$htaccess_file" ]] && touch "$htaccess_file" 
+    grep -q "<Files xmlrpc.php>" "$htaccess_file" || cat >>"$htaccess_file" <<"EOF"
+
+# Disable the oudated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+<Files xmlrpc.php>
+Order Allow,Deny
+Deny from all
+</Files>
+
+EOF
+}
+
 ########################
 # Configure reverse proxy headers
 # Globals:

bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh

@@ -47,6 +47,7 @@ wordpress_env_vars=(
     WORDPRESS_LOGGED_IN_SALT
     WORDPRESS_NONCE_SALT
     WORDPRESS_ENABLE_REVERSE_PROXY
+    WORDPRESS_ENABLE_XML_RPC
     WORDPRESS_USERNAME
     WORDPRESS_PASSWORD
     WORDPRESS_EMAIL
@@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
 export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
 export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
 export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
+export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-yes}" # only used during the first initialization
 
 # WordPress credentials
 export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization

bitnami/wordpress/README.md

@@ -246,6 +246,7 @@ Available environment variables:
 - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
 - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
 - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
+- `WORDPRESS_ENABLE_XML_RPC`: Enable the WordPress XML-RPC endpoint. Default: **yes**
 
 #### Salt and keys configuration