PUT Requests for the WooCommerce API and Other Plugins
Introduction
For security reasons, modern servers do not allow for
PUT
or
DELETE
requests to be available by default.
On Nginx, these aren’t even possible actions within the core HTTP module. To allow
PUT
and
DELETE
requests on Nginx, you need to compile in an extra module and make changes for each site.
The lead developers of WordPress are aware that most servers don’t allow these methods, and so they have built an override method into the REST API to take this into account.
The REST API allows all CRUD (Create, Read, Update, and Delete) operations available via
PUT
DELETE
(and also
PATCH
) to be carried out by either passing the method in the request as a query parameter or using a specific header containing the method:
Using the
?_method={HTTP_VEBR}
query parameter method override:
http POST /wp-json/wp/v2/posts/42?_method=DELETE
Using the
X-HTTP-Method-Override
header method override:
http POST /wp-json/wp/v2/posts/42 Host: example.com X-HTTP-Method-Override: DELETE
This way, ALL insecure WP-API CRUD actions can be achieved using POST requests, and your servers can be securely locked down to
POST
GET
HEAD
PURGE
methods.
On GridPane, making use of the REST API also allows for our 6G/7G firewalls to be enabled with no conflicts, allowing for even further security.
Configuring Nginx to Accept PUT Requests
Below we’ll look at how to active
PUT
requests on your website, which some plugins sometimes require, for example, some WooCommerce plugins require it for updating a website’s database via API.
If you also require the
DELETE
and/or
PATCH
verbs, please see this article to compare the code blocks in steps 2 and 3 and customise as required:
Special Note For 6G and 7G WAF Users
If you use the 6G or 7G WAF you'll also need to create an exclusion for "bad-methods". The easiest way to do this is inside the security tab, or you can run the following command (switching out site.url for your domain name):
gp site site.url 6g -bad-methods off
gp site site.url 7g -bad-methods offFull documentation can be found here: -
1. 6G WAF
2. 7G WAF
Step 1. SSH into your server
Please see the following article to get started:
Generate your SSH Key:
Generate SSH Key on Windows with Putty
Generate SSH Key on Windows with Windows Subsystem for Linux
Generate SSH Key on Windows with Windows CMD/PowerShell
Add your SSH Key to GridPane:
Add/Remove an SSH Key to/from an Active GridPane Server
Connect to your server:
Step 2. Create a root level conf file for these verbs
The easiest way to do this is by using nano and adding the file directly on the server like this (make sure to replace example.com with your own domain):
nano /var/www/example.com/nginx/http-verbs-root-context.conf
Now inside the nano editor, add into the file this line using:
dav_methods PUT;
Once complete, CTRL + O, and then Enter save the file, and then exit nano with CTRL+X.
Step 3. Add the verbs to the “more_set_headers” directive
Next, nano to the config file with the following command:
nano /etc/nginx/extra.d/headers-http-context.conf
Add
PUT
to the
more_set_headers allow
directive and into the
if
guard block. The config file should look like this:
more_set_headers "allow: GET, POST, HEAD, PURGE, PUT" always; if ($request_method !~ ^(GET|POST|HEAD|PURGE|PUT)$) { return 405; }
Once complete, CTRL + O, and then Enter save the file, and then exit nano with CTRL+X.
Step 4. Ensure our changes persist
Next, create the _custom directory and place a copy of the file you just edited in there:
mkdir -p /etc/nginx/extra.d/_custom && cp /etc/nginx/extra.d/headers-http-context.conf /etc/nginx/extra.d/_custom/headers-http-context.conf
This will ensure that our changes persist, and aren’t overwritten at a later date.
Step 5. Check and reload Nginx
Check the Nginx syntax with:
nginx -t
If there are no errors, then run:
gp ngx reload
You’re all set! Now you just need to check your work and ensure that your plugin is working correctly.