Opened 7 years ago
Closed 4 years ago
#43459 closed feature request (duplicate)
Provide a "manifest.json" file for exposing information about wordpress endpoints
Reported by: | bjne | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
When hosting wordpress sites, there is a problem knowing which .php files
should be executed directly and which is just included by other apps.
I suggest to try to develop a "manifest.json" (filename open for discussion),
that should live in wp-core, and provide a up-to-date reference for configuring
frontend webservers (per-request?)
Currently the practice is mostly to deny access to wp-config.php, but more or
less allow every other endpoint to be executed directly. This is a security concern.
The format should be expandable in the future, but I suggest the following basic
json schema:
{ "$schema": "http://json-schema.org/draft-06/schema#", "type": "object", "description": "wordpress manifest", "patternProperties": { "^(/[^/]+)+$": { "type": "object", "properties": { "type": { "enum": ["public", "logged_in", admin"] } }, "required": ["type"] } }, "additionalProperties": false }
Which would allow the following initial configuration:
{ "/index.php": { "type": "public" }, "/wp-login.php": { "type": "public" }, "/wp-admin/wp-admin-php": { "type": "admin" } }
Everything not listed in this file should be blacklisted by default.
This ticket was discussed in a triage session today.
It was decided to close this ticket as duplicate of #36177, which is also discussing adding further access/deny rules WordPress's default configuration.
Feel free to join the discussion on the other ticket.