Merge branch 'upgrade-wp-6.7' into demo

helm_deploy/wordpress/templates/ingress.yaml

@@ -20,10 +20,70 @@ metadata:
       SecRule REQUEST_HEADERS:Cookie "@contains WB_CONFIG={{ .Values.secrets.wbconfig }}"
         "id:1001,\
         phase:2,\
-        allow,\
-        tag:github_team=hale-platform,\
-        tag:environment=hale-platform-{{ .Values.configmap.envtype }}-auth,\
-        ctl:ruleEngine=DetectionOnly"
+        pass,\
+        nolog,\
+         ctl:ruleRemoveById=932110,\
+         ctl:ruleRemoveById=932130,\
+         ctl:ruleRemoveById=941180,\
+         ctl:ruleRemoveById=921110
+      # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin
+      SecRule REQUEST_URI "@contains /wp-admin/options.php" \
+        "id:1002,\
+        phase:2,\
+        pass,\
+        nolog,\
+         ctl:ruleRemoveById=921130,\
+         ctl:ruleRemoveById=941100,\
+         ctl:ruleRemoveById=941140,\
+         ctl:ruleRemoveById=941160
+      # Limit ModSecurity excemptions to only the WP API
+      SecRule REQUEST_URI "@contains /wp-json/" \
+        "id:1003,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110,\
+        ctl:ruleRemoveById=932100,\
+        ctl:ruleRemoveById=932105,\
+        ctl:ruleRemoveById=932110,\
+        ctl:ruleRemoveById=932130,\
+        ctl:ruleRemoveById=933210,\
+        ctl:ruleRemoveById=933160,\
+        ctl:ruleRemoveById=941100,\
+        ctl:ruleRemoveById=941110,\
+        ctl:ruleRemoveById=941130,\
+        ctl:ruleRemoveById=941140,\
+        ctl:ruleRemoveById=941160,\
+        ctl:ruleRemoveById=941180,\
+        ctl:ruleRemoveById=941300,\
+        ctl:ruleRemoveById=941310,\
+        ctl:ruleRemoveById=942230,\
+        ctl:ruleRemoveById=942320"  
+      # Limit ModSecurity excemptions to the wp-admin/post.php endpoint
+      SecRule REQUEST_URI "@contains /wp-admin/post.php" \
+        "id:1004,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110,\
+        ctl:ruleRemoveById=941100,\
+        ctl:ruleRemoveById=941160"
+      # Limit ModSecurity excemptions to the wp-admin/nav-menus.php endpoint
+      SecRule REQUEST_URI "@contains /wp-admin/nav-menus.php" \
+        "id:1005,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110"
+      # Limit ModSecurity excemptions to the wp-admin/admin-ajax.php endpoint
+      SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
+        "id:1006,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110,\
+        ctl:ruleRemoveById=941100,\
+        ctl:ruleRemoveById=941160"
     {{- if eq .Values.configmap.envtype "staging" }}
       SecRule REMOTE_ADDR "@ipMatch 80.195.27.199/32" "phase:2,id:200000001,nolog,allow"
     {{- end }}
@@ -76,9 +136,11 @@ metadata:
 spec:
   ingressClassName: modsec
   tls:
+{{- if not (eq .Values.configmap.envtype "prod") }}
   - hosts:
     - {{ .Values.domain }}
     secretName: websitebuilder-{{ .Values.configmap.envtype }}-cert
+{{- end }}
 {{- if eq .Values.configmap.envtype "prod" }}
   {{- range .Values.ingress.hosts }}
   - hosts:

helm_deploy/wordpress/values.yaml

@@ -244,10 +244,14 @@ ingress:
       certName: swoti-cert
     - name: seewhatsontheinside.co.uk
       certName: swoti-uk-cert
+    - name: showcase.websitebuilder.service.justice.gov.uk
+      certName: websitebuilder-showcase-cert
     - name: sifocc.org
       certName: sifocc-cert
     - name: victimandwitnessinformation.org.uk
       certName: victimandwitnessinformation-cert
+    - name: victimscommissioner.org.uk
+      certName: victimscommissioner-cert
     - name: victimscode.org.uk
       certName: victimscode-cert
     - name: websitebuilder.service.justice.gov.uk

wordpress.dockerfile

@@ -6,7 +6,7 @@
 
 # Build multisite
 # Latest images at https://hub.docker.com/_/wordpress
-FROM --platform=linux/amd64 wordpress:6.6.2-php8.3-fpm-alpine
+FROM --platform=linux/amd64 wordpress:6.7.0-php8.3-fpm-alpine
 
 # Install additional Alpine packages
 RUN apk update && \