Opened 2 years ago
Last modified 14 months ago
#43459 new feature request
Provide a "manifest.json" file for exposing information about wordpress endpoints
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
When hosting wordpress sites, there is a problem knowing which .php files
should be executed directly and which is just included by other apps.
I suggest to try to develop a "manifest.json" (filename open for discussion),
that should live in wp-core, and provide a up-to-date reference for configuring
frontend webservers (per-request?)
Currently the practice is mostly to deny access to wp-config.php, but more or
less allow every other endpoint to be executed directly. This is a security concern.
The format should be expandable in the future, but I suggest the following basic
json schema:
{
"$schema": "http://json-schema.org/draft-06/schema#",
"type": "object",
"description": "wordpress manifest",
"patternProperties": {
"^(/[^/]+)+$": {
"type": "object",
"properties": {
"type": {
"enum": ["public", "logged_in", admin"]
}
},
"required": ["type"]
}
},
"additionalProperties": false
}
Which would allow the following initial configuration:
{
"/index.php": {
"type": "public"
},
"/wp-login.php": {
"type": "public"
},
"/wp-admin/wp-admin-php": {
"type": "admin"
}
}
Everything not listed in this file should be blacklisted by default.