🔒️ Disable xmlrpc by default (#1467)

retlehs · web-flow · commit d4f46d223e1b · 2023-02-12T14:04:50.000-05:00
diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml
@@ -17,3 +17,5 @@ wordpress_sites:
       provider: self-signed
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml
@@ -19,3 +19,5 @@ wordpress_sites:
       provider: letsencrypt
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml
@@ -19,3 +19,5 @@ wordpress_sites:
       provider: letsencrypt
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -174,6 +174,14 @@ server {
   }
   {% endblock %}
 
+  {% block disable_xmlrpc -%}
+    {% if item.value.xmlrpc.enabled is defined and item.value.xmlrpc.enabled == false %}
+      location ~* xmlrpc\.php$ {
+        return 444;
+      }
+    {% endif %}
+  {% endblock %}
+
   {% block h5bp -%}
   {% if h5bp_cache_file_descriptors_enabled -%}
   include h5bp/directive-only/cache-file-descriptors.conf;
