Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#43459 closed feature request (duplicate)

Provide a "manifest.json" file for exposing information about wordpress endpoints

Reported by: bjne's profile bjne Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:


When hosting wordpress sites, there is a problem knowing which .php files
should be executed directly and which is just included by other apps.

I suggest to try to develop a "manifest.json" (filename open for discussion),
that should live in wp-core, and provide a up-to-date reference for configuring
frontend webservers (per-request?)

Currently the practice is mostly to deny access to wp-config.php, but more or
less allow every other endpoint to be executed directly. This is a security concern.

The format should be expandable in the future, but I suggest the following basic
json schema:

        "$schema": "",
        "type": "object",
        "description": "wordpress manifest",
        "patternProperties": {
                "^(/[^/]+)+$": {
                        "type": "object",
                        "properties": {
                                "type": {
                                        "enum": ["public", "logged_in", admin"]
                        "required": ["type"]
        "additionalProperties": false

Which would allow the following initial configuration:

        "/index.php": {
                "type": "public"
        "/wp-login.php": {
                "type": "public"
        "/wp-admin/wp-admin-php": {
                "type": "admin"

Everything not listed in this file should be blacklisted by default.

Change History (3)

#1 @pento
5 years ago

  • Version trunk deleted

This ticket was mentioned in Slack in #core by noisysocks. View the logs.

4 years ago

#3 @peterwilsoncc
4 years ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

This ticket was discussed in a triage session today.

It was decided to close this ticket as duplicate of #36177, which is also discussing adding further access/deny rules WordPress's default configuration.

Feel free to join the discussion on the other ticket.

Note: See TracTickets for help on using tickets.