From e89a685d43f079ba9ad9627813e63a54bd5d8d38 Mon Sep 17 00:00:00 2001
From: Kim Oliver Drechsel <kim@drechsel.xyz>
Date: Tue, 3 Oct 2023 10:36:09 +0200
Subject: [PATCH 1/6] Add configuration for Wordpress XML-RPC endpoint

---
 .../opt/bitnami/scripts/libwordpress.sh       | 24 +++++++++++++++++++
 .../opt/bitnami/scripts/wordpress-env.sh      |  2 ++
 bitnami/wordpress/README.md                   |  1 +
 3 files changed, 27 insertions(+)

diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
index 3db0be8c1dc23..30f034eae40ed 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
@@ -92,6 +92,7 @@ wordpress_validate() {
     check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP"
     check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
     check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
+    check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
 
     # Multisite validations
     check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"
@@ -351,6 +352,7 @@ wordpress_initialize() {
             # Enable friendly URLs / permalinks (using historic Bitnami defaults)
             wp_execute rewrite structure '/%year%/%monthnum%/%day%/%postname%/'
             ! is_empty_value "$WORDPRESS_SMTP_HOST" && wordpress_configure_smtp
+            ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
         else
             info "An already initialized WordPress database was provided, configuration will be skipped"
             wp_execute core update-db
@@ -583,6 +585,28 @@ if ( !defined( 'WP_CLI' ) ) {
 EOF
 }
 
+########################
+# Disable access to the WordPress XML-RPC endpoint
+# Globals:
+#   *
+# Arguments:
+#   $1 - path to .htaccess file
+# Returns:
+#   None
+#########################
+wordpress_disable_xmlrpc_endpoint() {
+    local -r htaccess_file="${1:?missing path to htaccess file}"
+
+    cat >>"$htaccess_file" <<"EOF"
+
+# Disable the oudated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+<Files xmlrpc.php>
+Order Allow,Deny
+Deny from all
+</Files>
+EOF
+}
+
 ########################
 # Configure reverse proxy headers
 # Globals:
diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
index 9126f28812cff..ee9aabde12783 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
@@ -47,6 +47,7 @@ wordpress_env_vars=(
     WORDPRESS_LOGGED_IN_SALT
     WORDPRESS_NONCE_SALT
     WORDPRESS_ENABLE_REVERSE_PROXY
+    WORDPRESS_ENABLE_XML_RPC
     WORDPRESS_USERNAME
     WORDPRESS_PASSWORD
     WORDPRESS_EMAIL
@@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
 export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
 export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
 export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
+export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-no}" # only used during the first initialization
 
 # WordPress credentials
 export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization
diff --git a/bitnami/wordpress/README.md b/bitnami/wordpress/README.md
index f9986827e41b9..d2fef1d5b0e31 100644
--- a/bitnami/wordpress/README.md
+++ b/bitnami/wordpress/README.md
@@ -246,6 +246,7 @@ Available environment variables:
 - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
 - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
 - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
+- `WORDPRESS_ENABLE_XML_RPC`: Enable the oudated WordPress XML-RPC endpoint. Default: **no**
 
 #### Salt and keys configuration
 

From 2345d966264de4682297877152ffb0f54d1f9b84 Mon Sep 17 00:00:00 2001
From: Kim Oliver Drechsel <kim@drechsel.xyz>
Date: Tue, 3 Oct 2023 10:36:09 +0200
Subject: [PATCH 2/6] Add configuration for Wordpress XML-RPC endpoint

---
 .../opt/bitnami/scripts/libwordpress.sh       | 33 +++++++++++++++++++
 .../opt/bitnami/scripts/wordpress-env.sh      |  2 ++
 bitnami/wordpress/README.md                   |  1 +
 3 files changed, 36 insertions(+)

diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
index 3db0be8c1dc23..fb1063bafc256 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
@@ -92,6 +92,7 @@ wordpress_validate() {
     check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP"
     check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
     check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
+    check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
 
     # Multisite validations
     check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"
@@ -226,6 +227,12 @@ wordpress_initialize() {
                 WORDPRESS_DATA_TO_PERSIST+=" ${htaccess_file}"
             fi
         fi
+    else
+        if is_boolean_yes "$WORDPRESS_HTACCESS_OVERRIDE_NONE"; then
+            local htaccess_file="${APACHE_HTACCESS_DIR}/wordpress-htaccess.conf"
+        else
+            local htaccess_file="${WORDPRESS_BASE_DIR}/.htaccess"
+        fi
     fi
 
     # Check if WordPress has already been initialized and persisted in a previous run
@@ -351,6 +358,7 @@ wordpress_initialize() {
             # Enable friendly URLs / permalinks (using historic Bitnami defaults)
             wp_execute rewrite structure '/%year%/%monthnum%/%day%/%postname%/'
             ! is_empty_value "$WORDPRESS_SMTP_HOST" && wordpress_configure_smtp
+            ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
         else
             info "An already initialized WordPress database was provided, configuration will be skipped"
             wp_execute core update-db
@@ -406,6 +414,8 @@ wordpress_initialize() {
         wordpress_wait_for_mysql_connection "$db_host" "$db_port" "$db_name" "$db_user" "$db_pass"
         wp_execute core update-db
 
+        ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
+
         if is_boolean_yes "$WORDPRESS_RESET_DATA_PERMISSIONS"; then
             warn "Resetting file permissions in persisted volume"
             local wp_config_path
@@ -583,6 +593,29 @@ if ( !defined( 'WP_CLI' ) ) {
 EOF
 }
 
+########################
+# Disable access to the WordPress XML-RPC endpoint
+# Globals:
+#   *
+# Arguments:
+#   $1 - path to .htaccess file
+# Returns:
+#   None
+#########################
+wordpress_disable_xmlrpc_endpoint() {
+    local -r htaccess_file="${1:?missing htaccess file path}"
+    [[ ! -f "$htaccess_file" ]] && touch "$htaccess_file" 
+    grep -q "<Files xmlrpc.php>" "$htaccess_file" || cat >>"$htaccess_file" <<"EOF"
+
+# Disable the oudated WordPress XML-RPC endpoint to prevent security vulnerabilities.
+<Files xmlrpc.php>
+Order Allow,Deny
+Deny from all
+</Files>
+
+EOF
+}
+
 ########################
 # Configure reverse proxy headers
 # Globals:
diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
index 9126f28812cff..ee9aabde12783 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
@@ -47,6 +47,7 @@ wordpress_env_vars=(
     WORDPRESS_LOGGED_IN_SALT
     WORDPRESS_NONCE_SALT
     WORDPRESS_ENABLE_REVERSE_PROXY
+    WORDPRESS_ENABLE_XML_RPC
     WORDPRESS_USERNAME
     WORDPRESS_PASSWORD
     WORDPRESS_EMAIL
@@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
 export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
 export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
 export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
+export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-no}" # only used during the first initialization
 
 # WordPress credentials
 export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization
diff --git a/bitnami/wordpress/README.md b/bitnami/wordpress/README.md
index f9986827e41b9..d2fef1d5b0e31 100644
--- a/bitnami/wordpress/README.md
+++ b/bitnami/wordpress/README.md
@@ -246,6 +246,7 @@ Available environment variables:
 - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
 - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
 - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
+- `WORDPRESS_ENABLE_XML_RPC`: Enable the oudated WordPress XML-RPC endpoint. Default: **no**
 
 #### Salt and keys configuration
 

From 12695d8d4f2db5744c875ee03b2da5ab325ad8ca Mon Sep 17 00:00:00 2001
From: Kim Oliver Drechsel <kim@drechsel.xyz>
Date: Tue, 3 Oct 2023 13:36:01 +0200
Subject: [PATCH 3/6] Remove duplicate code

---
 .../6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
index 996ee921f78d2..5f380c80ed7fd 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
@@ -360,7 +360,6 @@ wordpress_initialize() {
             wp_execute rewrite structure '/%year%/%monthnum%/%day%/%postname%/'
             ! is_empty_value "$WORDPRESS_SMTP_HOST" && wordpress_configure_smtp
             ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
-            ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
         else
             info "An already initialized WordPress database was provided, configuration will be skipped"
             wp_execute core update-db

From 8c787dbde7f843419345f24e18900b0204a2c4d2 Mon Sep 17 00:00:00 2001
From: Kim Oliver Drechsel <kim@drechsel.xyz>
Date: Tue, 3 Oct 2023 13:36:32 +0200
Subject: [PATCH 4/6] Remove duplicate code

---
 .../6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
index 5f380c80ed7fd..fb1063bafc256 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
@@ -93,7 +93,6 @@ wordpress_validate() {
     check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
     check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
     check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
-    check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"
 
     # Multisite validations
     check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"

From 30dd7d630d529b6d847a28de088ecde92b63ef3c Mon Sep 17 00:00:00 2001
From: Kim Oliver Drechsel <kim@drechsel.xyz>
Date: Tue, 3 Oct 2023 14:19:51 +0200
Subject: [PATCH 5/6] Only check during first initialization

---
 .../6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh      | 2 --
 1 file changed, 2 deletions(-)

diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
index fb1063bafc256..d6a854324156e 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/libwordpress.sh
@@ -414,8 +414,6 @@ wordpress_initialize() {
         wordpress_wait_for_mysql_connection "$db_host" "$db_port" "$db_name" "$db_user" "$db_pass"
         wp_execute core update-db
 
-        ! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
-
         if is_boolean_yes "$WORDPRESS_RESET_DATA_PERMISSIONS"; then
             warn "Resetting file permissions in persisted volume"
             local wp_config_path

From 5903edbdf3bfb687e67f78eb50ead4dd1cdb53e4 Mon Sep 17 00:00:00 2001
From: Kim Oliver Drechsel <kim@drechsel.xyz>
Date: Tue, 3 Oct 2023 14:20:28 +0200
Subject: [PATCH 6/6] Allow access to XML-RPC endpoint by default

---
 .../6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh     | 2 +-
 bitnami/wordpress/README.md                                     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
index ee9aabde12783..3a926e1765356 100644
--- a/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
+++ b/bitnami/wordpress/6/debian-11/rootfs/opt/bitnami/scripts/wordpress-env.sh
@@ -145,7 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
 export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
 export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
 export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
-export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-no}" # only used during the first initialization
+export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-yes}" # only used during the first initialization
 
 # WordPress credentials
 export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization
diff --git a/bitnami/wordpress/README.md b/bitnami/wordpress/README.md
index d2fef1d5b0e31..644c0fd3cf2d5 100644
--- a/bitnami/wordpress/README.md
+++ b/bitnami/wordpress/README.md
@@ -246,7 +246,7 @@ Available environment variables:
 - `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
 - `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
 - `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
-- `WORDPRESS_ENABLE_XML_RPC`: Enable the oudated WordPress XML-RPC endpoint. Default: **no**
+- `WORDPRESS_ENABLE_XML_RPC`: Enable the WordPress XML-RPC endpoint. Default: **yes**
 
 #### Salt and keys configuration