From c9bed8e996c903e0b27cd39e51b5ddef3c3526bb Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Thu, 20 Nov 2025 00:34:15 +0000
Subject: [PATCH] wordpress: Block public wp-json API

---
 cookbooks/wordpress/templates/default/apache.erb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cookbooks/wordpress/templates/default/apache.erb b/cookbooks/wordpress/templates/default/apache.erb
index b15ec55d9..23ef7c14f 100644
--- a/cookbooks/wordpress/templates/default/apache.erb
+++ b/cookbooks/wordpress/templates/default/apache.erb
@@ -59,6 +59,14 @@
   </Directory>
 <% end -%>
 
+  <LocationMatch "^/wp-json/wp/v2/users.*$">
+    # Allowed IPs
+    Require ip 127.0.0.1 ::1
+
+    # Deny everything else
+    Require all denied
+  </LocationMatch>
+
   <Directory <%= @directory %>>
     RewriteEngine on
 
-- 
2.39.5