Wordpress + secure connections

Caddy Version: v2.0.0-rc.2 h1:7NOaxYrsnQ5D3rcLGn2UnLZHLfBpgrfM/JNTLhjCJ1c=
Ubuntu Server 16.04
PHP 7.3.X

I found some insures with your Caddyfile in Caddy v2, for example if you change “Permalink Settings” with a different option as “Plain” you get this error when open a post:

Exemple: https://example.com/index.php/2020/04/hello-world/

Another case that gives the same result as the previous one is to write a route that does not exist:
Exemple: https://example.com/jrughwruhwruirwh

You should do a redirect to the domain path instead of staying on that path and say “Secure Connection Failed”

Hey Daniel, welcome –

That error is generated by the web browser (the client), not by Caddy. I’m not familiar with WordPress so I can’t really help here, but if you post more details about your configuration of Caddy and WordPress and the full log output from Caddy, maybe someone here can help you!

Caddy Update: v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

This code is related to Caddy v1:

rewrite {
    if {path} not_match ^\/wp-admin
    to {path} {path}/ /index.php?{query}

In short my problem is to pass that correctly to Caddy v2

It’s really easier to use Caddy2 with WordPress.

Here is all you need :

voiretmanger.fr {
	root * /var/www/voiretmanger.fr
	php_fastcgi unix//run/php/php7.4-fpm-caddy.sock

These rewrite lines are not necessary anymore, since the command php_fastcgi does everything for you.

Of course, you will have to change the domain name, root and probably the unix path for php-fpm.


Yep,woks but don´t protect url /wp-content/uploads/ and /wp-includes/ to execute .php files. I test this 2 sentences in Caddyfile without success:

	respond /uploads/*.php 404
	#respond /wp-content\/uploads\/(.*)\.php 400

If you’re trying to protect /wp-content/uploads/, then you should do:

respond /wp-content/uploads/*.php 404

To be clear, WordPress’ own upload functionality does not allow for PHP files to be uploaded.

That means you only require this protection if you run untrustworthy plugins that allow other methods of uploading files, in which case you may find those files are not necessarily neatly placed within /wp-content/uploads/, which might make this line of defense useless anyway.



Yes now it works perfectly

You’re right, but prevention is better than cure later :wink:

[Caddyfile config for Wordpress - Caddy v2]

Solution to the problem:

      example.com {
        	root * /var/www/wordpress
        	php_fastcgi unix//run/php/php7.4-fpm.sock
        	# Prevent malicious PHP uploads from running
        	respond /wp-content/uploads/*.php 404
        	encode gzip

Thanks to @nicolinux and @francislavoie for help


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.