Skip to content

Wordpress README Update #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
palmcoasty wants to merge 1 commit into
base: main
Choose a base branch
from
+17 −8
Open

Wordpress README Update #18

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 17 additions & 8 deletions templates/wordpress/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,47 @@
# WordPress Template

## Overview

Provision a curated BunkerWeb configuration for WordPress. This template ships sensible defaults for TLS, reverse proxying, request throttling, crawler whitelisting, and CRS exclusions tuned for WordPress traffic so you can get a secure site online quickly.

## Prerequisites
## ⚠️ Disclaimer – REST API Not Working in Standard Config

The REST API is **disabled by default** to avoid opening an unnecessary attack vector. Most WordPress installations do not require it, so this is intentional.

To enable the REST API, add `PUT` and `DELETE` to the `ALLOWED_METHODS` field in your configuration:

**Default (REST API disabled):**
```
"ALLOWED_METHODS": "GET|POST|HEAD|OPTIONS"
```

**Updated (REST API enabled):**
```
"ALLOWED_METHODS": "GET|POST|HEAD|OPTIONS|PUT|DELETE"
```

## Prerequisites
- A running WordPress upstream accessible on your network (for example a container named `mywp`).
- The BunkerWeb UI or the ability to edit multisite settings directly.
- Domain name(s) that will serve the WordPress instance.

## Files

- `template.json` – BunkerWeb template definition containing default settings, configs, and guided steps.
- `configs/modsec/wordpress_false_positives.conf` – ModSecurity CRS tuning for WordPress admin, cron, and XML-RPC traffic.

## Setup

1. **Import the template**
- *UI import (recommended)*: open the BunkerWeb `Templates` page, click **Create new template**, switch to
**Raw** mode, paste the contents of `template.json`, and save.
- *Plugin bundle*: copy the entire `wordpress/` directory into your plugins `templates/` folder.
- *Plugin bundle*: copy the entire `wordpress/` directory into your plugin's `templates/` folder.
2. **Assign the template** to your WordPress service via the easy-mode UI or by setting `USE_TEMPLATE=wordpress`.
3. **Customize the settings** highlighted in the template steps (domains, upstream host, TLS options).
4. **Reload the service** and verify WordPress loads through BunkerWeb.

## Customization Tips

- Update `REVERSE_PROXY_HOST` to the URL of your WordPress upstream (e.g. `http://wordpress:80`).
- Adjust `MAX_CLIENT_SIZE` if you need to support larger media uploads.
- Tune `LIMIT_REQ_RATE` or change the protected `LIMIT_REQ_URL` (defaults to `/`) if you want to rate-limit only `wp-login.php` or `xmlrpc.php`.
- Add or prune domains in `WHITELIST_RDNS` if you want to control which crawlers bypass security checks.
- Disable the XML-RPC relaxations in `configs/modsec/wordpress_false_positives.conf` if your installation does not require XML-RPC.

## Validation

Run `jq . template.json` to confirm the JSON definition is valid before importing via the UI.