Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bitnami/wordpress] Add env var to disable XML-RPC #50838

Closed
wants to merge 10 commits into from
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ wordpress_validate() {
check_yes_no_value "WORDPRESS_SKIP_BOOTSTRAP"
check_multi_value "WORDPRESS_AUTO_UPDATE_LEVEL" "major minor none"
check_yes_no_value "WORDPRESS_ENABLE_REVERSE_PROXY"
check_yes_no_value "WORDPRESS_ENABLE_XML_RPC"

# Multisite validations
check_yes_no_value "WORDPRESS_ENABLE_MULTISITE"
Expand Down Expand Up @@ -226,6 +227,12 @@ wordpress_initialize() {
WORDPRESS_DATA_TO_PERSIST+=" ${htaccess_file}"
fi
fi
else
if is_boolean_yes "$WORDPRESS_HTACCESS_OVERRIDE_NONE"; then
local htaccess_file="${APACHE_HTACCESS_DIR}/wordpress-htaccess.conf"
else
local htaccess_file="${WORDPRESS_BASE_DIR}/.htaccess"
fi
fi

# Check if WordPress has already been initialized and persisted in a previous run
Expand Down Expand Up @@ -351,6 +358,7 @@ wordpress_initialize() {
# Enable friendly URLs / permalinks (using historic Bitnami defaults)
wp_execute rewrite structure '/%year%/%monthnum%/%day%/%postname%/'
! is_empty_value "$WORDPRESS_SMTP_HOST" && wordpress_configure_smtp
! is_boolean_yes "$WORDPRESS_ENABLE_XML_RPC" && wordpress_disable_xmlrpc_endpoint "$htaccess_file"
else
info "An already initialized WordPress database was provided, configuration will be skipped"
wp_execute core update-db
Expand Down Expand Up @@ -583,6 +591,29 @@ if ( !defined( 'WP_CLI' ) ) {
EOF
}

########################
# Disable access to the WordPress XML-RPC endpoint
# Globals:
# *
# Arguments:
# $1 - path to .htaccess file
# Returns:
# None
#########################
wordpress_disable_xmlrpc_endpoint() {
local -r htaccess_file="${1:?missing htaccess file path}"
[[ ! -f "$htaccess_file" ]] && touch "$htaccess_file"
grep -q "<Files xmlrpc.php>" "$htaccess_file" || cat >>"$htaccess_file" <<"EOF"

# Disable the oudated WordPress XML-RPC endpoint to prevent security vulnerabilities.
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

EOF
}

########################
# Configure reverse proxy headers
# Globals:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ wordpress_env_vars=(
WORDPRESS_LOGGED_IN_SALT
WORDPRESS_NONCE_SALT
WORDPRESS_ENABLE_REVERSE_PROXY
WORDPRESS_ENABLE_XML_RPC
WORDPRESS_USERNAME
WORDPRESS_PASSWORD
WORDPRESS_EMAIL
Expand Down Expand Up @@ -144,6 +145,7 @@ export WORDPRESS_SECURE_AUTH_SALT="${WORDPRESS_SECURE_AUTH_SALT:-}"
export WORDPRESS_LOGGED_IN_SALT="${WORDPRESS_LOGGED_IN_SALT:-}"
export WORDPRESS_NONCE_SALT="${WORDPRESS_NONCE_SALT:-}"
export WORDPRESS_ENABLE_REVERSE_PROXY="${WORDPRESS_ENABLE_REVERSE_PROXY:-no}" # only used during the first initialization
export WORDPRESS_ENABLE_XML_RPC="${WORDPRESS_ENABLE_XML_RPC:-yes}" # only used during the first initialization

# WordPress credentials
export WORDPRESS_USERNAME="${WORDPRESS_USERNAME:-user}" # only used during the first initialization
Expand Down
1 change: 1 addition & 0 deletions bitnami/wordpress/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,7 @@ Available environment variables:
- `WORDPRESS_SKIP_BOOTSTRAP`: Skip the WordPress installation wizard. This is necessary when providing a database with existing WordPress data. Default: **no**
- `WORDPRESS_AUTO_UPDATE_LEVEL`: Level of auto-updates to allow for the WordPress core installation. Valid values: `major`, `minor`, `none`. Default: **none**
- `WORDPRESS_ENABLE_REVERSE_PROXY`: Enable WordPress support for reverse proxy headers. Default: **no**
- `WORDPRESS_ENABLE_XML_RPC`: Enable the WordPress XML-RPC endpoint. Default: **yes**

#### Salt and keys configuration

Expand Down
Loading