fix: harden wordpress edge exposure

This commit is contained in:
bisco
2026-06-25 22:57:43 +02:00
parent 02e05ec3b6
commit 82ae9eaae4
11 changed files with 91 additions and 7 deletions
+1
View File
@@ -101,6 +101,7 @@ test("protects the edge and exposes the WordPress admin", async ({ page, request
expect((await request.get("/xmlrpc.php")).status()).toBe(403);
expect((await request.get("/.env")).status()).toBe(404);
expect((await request.get("/wp-config.php")).status()).toBe(404);
expect((await request.get("/wp-content/uploads/probe.php")).status()).toBe(403);
expect((await request.get("/wp-json/wp/v2/users")).status()).toBe(404);
await page.goto("/wp-admin/");
+28
View File
@@ -0,0 +1,28 @@
#!/bin/sh
set -eu
compose_file="${1:-/workspace/docker-compose.yml}"
awk '
/^[[:space:]]{2}wordpress:/ {
in_wordpress = 1
next
}
in_wordpress && /^[[:space:]]{2}[A-Za-z0-9_-]+:/ {
in_wordpress = 0
}
in_wordpress && /^[[:space:]]{4}ports:/ {
print "The wordpress service must not publish host ports; route traffic through proxy only." > "/dev/stderr"
exit 1
}
' "$compose_file"
grep -q 'azionelab-apache-hardening.conf' /workspace/wordpress/Dockerfile || {
echo "The WordPress image must install Apache hardening rules." >&2
exit 1
}
grep -q 'wp-content/(uploads|files)' /workspace/wordpress/apache-hardening.conf || {
echo "Apache hardening must block PHP execution below uploads/files." >&2
exit 1
}