From f702e044f3baf797cb5f878a97a55f08f2bcbce8 Mon Sep 17 00:00:00 2001
From: nbenedek <contact@nbenedek.me>
Date: Mon, 22 Aug 2022 20:46:19 +0200
Subject: [PATCH] wordpress: disable readme.html, xmlrpc.php, wp-cron.php

Closes: #2244.

This patch disabled xmlrpc.php functionality entirely. For interacting with
WordPress using app, the new REST API functionality is recommended. However, for
the Pingback API XML-RPC is still a necessity. If this is an important feature
for FreedomBox users, we intend to re-enable XML-RPC functionality in WordPress.

Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../etc/apache2/conf-available/wordpress-freedombox.conf     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/plinth/modules/wordpress/data/etc/apache2/conf-available/wordpress-freedombox.conf b/plinth/modules/wordpress/data/etc/apache2/conf-available/wordpress-freedombox.conf
index a55211a21..24ea002c4 100644
--- a/plinth/modules/wordpress/data/etc/apache2/conf-available/wordpress-freedombox.conf
+++ b/plinth/modules/wordpress/data/etc/apache2/conf-available/wordpress-freedombox.conf
@@ -54,3 +54,8 @@ Alias /wordpress /usr/share/wordpress
         Require all granted
     </IfFile>
 </Directory>
+
+# Harden security by following wpscan's suggestions. Issue #2244
+<LocationMatch "^/wordpress/(readme.html|xmlrpc.php|wp-cron.php)">
+    Deny from All
+</LocationMatch>