Restricting the REST API when the `site_url` is different from the `home_url`

lphoumpakka · November 27, 2024, 5:05pm

Hello, I am encountering an issue with restricting the REST API when the site_url is different from the home_url.

My project has a specific structure (https://roots.io/bedrock/) where WordPress is located in /wp. During the verification of crb_get_rest_path() and CRB_Request::get_relative_path(), it fails to account for /wp being in a different location. As a result, the verification is incorrect, and the REST API remains accessible.

Can you help me ?

Best,

nick · November 28, 2024, 12:14pm

Hi! We’re happy to assist with this interesting issue. However, please note that it might take a bit of time to sort this out since it involves modifying the core of the plugin. If I understand correctly, the “WordPress Address (URL)” and “Site Address (URL)” settings contain different subfolders. Is that correct?

lphoumpakka · December 2, 2024, 11:53am

Hi nick,

WordPress Address (URL) is https://www.siteurl.fr and
Site Address (URL) is https://www.siteurl.fr/wp

Garry · December 3, 2024, 4:46pm

Could you confirm that your WordPress files are located in the root folder of your website, but the website itself is accessible via https://www.siteurl.fr/wp? It’s important because such a configuration looks non-standard.

lphoumpakka · December 5, 2024, 2:33pm

www.siteurl.fr/wp is not accessible. Only url without “wp” is accessible

The structure is here : https://roots.io/bedrock/

gioni · December 6, 2024, 2:42pm

Running WP Cerber on Bedrock is an interesting case worth investigating. Please give us some time to deploy our own staging server for testing.

lphoumpakka · December 16, 2024, 11:30am

hi

Were you able to investigate?

Garry · December 18, 2024, 11:31am

We don’t have a solution yet. If you have any insights into the cause or a possible fix, you can share them with us to speed up the process.