From d4f46d223e1b57b11b2887bc50db2bb04361b882 Mon Sep 17 00:00:00 2001
From: Ben Word <ben@benword.com>
Date: Sun, 12 Feb 2023 13:04:50 -0600
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Disable=20xmlrpc=20by?=
 =?UTF-8?q?=20default=20(#1467)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 group_vars/development/wordpress_sites.yml             | 2 ++
 group_vars/production/wordpress_sites.yml              | 2 ++
 group_vars/staging/wordpress_sites.yml                 | 2 ++
 roles/wordpress-setup/templates/wordpress-site.conf.j2 | 8 ++++++++
 4 files changed, 14 insertions(+)

diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml
index 90009265e2..4a9f1d6f3b 100644
--- a/group_vars/development/wordpress_sites.yml
+++ b/group_vars/development/wordpress_sites.yml
@@ -17,3 +17,5 @@ wordpress_sites:
       provider: self-signed
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml
index e8a875d1ca..fc94943c51 100644
--- a/group_vars/production/wordpress_sites.yml
+++ b/group_vars/production/wordpress_sites.yml
@@ -19,3 +19,5 @@ wordpress_sites:
       provider: letsencrypt
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml
index 054770ea7a..bf588be06b 100644
--- a/group_vars/staging/wordpress_sites.yml
+++ b/group_vars/staging/wordpress_sites.yml
@@ -19,3 +19,5 @@ wordpress_sites:
       provider: letsencrypt
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
index d17f999c6a..b26085cbc3 100644
--- a/roles/wordpress-setup/templates/wordpress-site.conf.j2
+++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -174,6 +174,14 @@ server {
   }
   {% endblock %}
 
+  {% block disable_xmlrpc -%}
+    {% if item.value.xmlrpc.enabled is defined and item.value.xmlrpc.enabled == false %}
+      location ~* xmlrpc\.php$ {
+        return 444;
+      }
+    {% endif %}
+  {% endblock %}
+
   {% block h5bp -%}
   {% if h5bp_cache_file_descriptors_enabled -%}
   include h5bp/directive-only/cache-file-descriptors.conf;