UPDATE - PUT and DELETE Requests
PUT
and DELETE
requests are no longer blocked on Nginx servers by default, however, you may still need to configure the dav_methods
outlined in this article for your website if the requires them.
Introduction
Modern servers do not allow for PUT
or DELETE
requests to be available by default.
On Nginx, these aren’t even possible actions within the core HTTP module. To allow PUT
and DELETE
requests on Nginx, you need to compile in an extra module and make changes for each site.
The lead developers of WordPress are aware that most servers don’t allow these methods, and so they have built an override method into the REST API to take this into account.
The REST API allows all CRUD (Create, Read, Update, and Delete) operations available via PUT
DELETE
(and alsoPATCH
) to be carried out by either passing the method in the request as a query parameter or using a specific header containing the method:
Using the ?_method={HTTP_VEBR}
query parameter method override:
http POST /wp-json/wp/v2/posts/42?_method=DELETE
Using the X-HTTP-Method-Override
header method override:
http POST /wp-json/wp/v2/posts/42 Host: example.com X-HTTP-Method-Override: DELETE
This way, ALL insecure WP-API CRUD actions can be achieved using POST requests, and your servers can be securely locked down to POST
GET
HEAD
PURGE
methods.
On GridPane, making use of the REST API also allows for our 6G/7G firewalls to be enabled with no conflicts, allowing for even further security.
Configuring Nginx to Accept PUT Requests
Below we’ll look at how to activate PUT
requests on your website, which some plugins sometimes require, for example, some WooCommerce plugins require it for updating a website’s database via API.
If you also require the DELETE
and/or PATCH
verbs, please see this article to compare the code blocks in steps 2 and 3 and customise as required:
Special Note For 6G and 7G WAF Users
If you use the 6G or 7G WAF you'll also need to create an exclusion for "bad-methods". The easiest way to do this is inside the security tab, or you can run the following command (switching out site.url for your domain name):
gp site site.url 6g -bad-methods off
gp site site.url 7g -bad-methods offFull documentation can be found here: -
1. 6G WAF
2. 7G WAF
Step 1. SSH into your server
Please see the following article to get started:
Step 1. Generate your SSH Key
Step 2. Add your SSH Key to GridPane (also see Add default SSH Keys)
Step 3. Connect to your server by SSH as Root user (we like and use Termius)
Step 2. Create a root level conf file for these verbs
The easiest way to do this is by using nano and adding the file directly on the server like this (make sure to replace example.com with your own domain):
nano /var/www/example.com/nginx/http-verbs-root-context.conf
Now inside the nano editor, add into the file this line using:
dav_methods PUT;
Once complete, CTRL + O, and then Enter save the file, and then exit nano with CTRL+X.
Step 3. Add the verbs to the “more_set_headers” directive
Next, nano to the config file with the following command:
nano /etc/nginx/extra.d/headers-http-context.conf
Add PUT
to the more_set_headers allow
directive and into the if
guard block. The config file should look like this:
more_set_headers "allow: GET, POST, HEAD, PURGE, PUT" always; if ($request_method !~ ^(GET|POST|HEAD|PURGE|PUT)$) { return 405; }
Once complete, CTRL + O, and then Enter save the file, and then exit nano with CTRL+X.
Step 4. Ensure our changes persist
Next, create the _custom directory and place a copy of the file you just edited in there:
mkdir -p /etc/nginx/extra.d/_custom && cp /etc/nginx/extra.d/headers-http-context.conf /etc/nginx/extra.d/_custom/headers-http-context.conf
This will ensure that our changes persist, and aren’t overwritten at a later date.
Step 5. Check and reload Nginx
Check the Nginx syntax with:
nginx -t
If there are no errors, then run:
gp ngx reload
You’re all set! Now you just need to check your work and ensure that your plugin is working correctly.