Wordpress + secure connections

danielperez9430 · April 13, 2020, 10:20am

Caddy Version: v2.0.0-rc.2 h1:7NOaxYrsnQ5D3rcLGn2UnLZHLfBpgrfM/JNTLhjCJ1c=
Ubuntu Server 16.04
PHP 7.3.X

I found some insures with your Caddyfile in Caddy v2, for example if you change “Permalink Settings” with a different option as “Plain” you get this error when open a post:

Exemple: https://example.com/index.php/2020/04/hello-world/

Another case that gives the same result as the previous one is to write a route that does not exist:
Exemple: https://example.com/jrughwruhwruirwh

You should do a redirect to the domain path instead of staying on that path and say “Secure Connection Failed”

matt · April 13, 2020, 5:00pm

Hey Daniel, welcome –

That error is generated by the web browser (the client), not by Caddy. I’m not familiar with WordPress so I can’t really help here, but if you post more details about your configuration of Caddy and WordPress and the full log output from Caddy, maybe someone here can help you!

danielperez9430 · April 13, 2020, 7:20pm

Caddy Update: v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

This code is related to Caddy v1:

rewrite {
    if {path} not_match ^\/wp-admin
    to {path} {path}/ /index.php?{query}
}

In short my problem is to pass that correctly to Caddy v2

nicolinux · April 14, 2020, 5:20am

It’s really easier to use Caddy2 with WordPress.

Here is all you need :

voiretmanger.fr {
	root * /var/www/voiretmanger.fr
	php_fastcgi unix//run/php/php7.4-fpm-caddy.sock
	file_server
}

These rewrite lines are not necessary anymore, since the command php_fastcgi does everything for you.

Of course, you will have to change the domain name, root and probably the unix path for php-fpm.

danielperez9430 · April 14, 2020, 9:15pm

Yep,woks but don´t protect url /wp-content/uploads/ and /wp-includes/ to execute .php files. I test this 2 sentences in Caddyfile without success:

	respond /uploads/*.php 404
	#respond /wp-content\/uploads\/(.*)\.php 400

francislavoie · April 14, 2020, 9:58pm

If you’re trying to protect /wp-content/uploads/, then you should do:

respond /wp-content/uploads/*.php 404

Whitestrake · April 15, 2020, 5:50am

To be clear, WordPress’ own upload functionality does not allow for PHP files to be uploaded.

That means you only require this protection if you run untrustworthy plugins that allow other methods of uploading files, in which case you may find those files are not necessarily neatly placed within /wp-content/uploads/, which might make this line of defense useless anyway.

¯\_(ツ)_/¯

danielperez9430 · April 15, 2020, 8:39am

Yes now it works perfectly

danielperez9430 · April 15, 2020, 8:40am

You’re right, but prevention is better than cure later

danielperez9430 · April 15, 2020, 8:41am

[Caddyfile config for Wordpress - Caddy v2]

Solution to the problem:

      example.com {
        	root * /var/www/wordpress
        	php_fastcgi unix//run/php/php7.4-fpm.sock
        	# Prevent malicious PHP uploads from running
        	respond /wp-content/uploads/*.php 404
        	encode gzip
        	file_server
        }

Thanks to @nicolinux and @francislavoie for help

system · May 15, 2020, 8:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.