PUT Requests for the WooCommerce API and Other Plugins

4 min read

Introduction

For security reasons, modern servers do not allow for PUT or DELETE requests to be available by default.

On Nginx, these aren’t even possible actions within the core HTTP module. To allow PUT and DELETE requests on Nginx, you need to compile in an extra module and make changes for each site.

The lead developers of WordPress are aware that most servers don’t allow these methods, and so they have built an override method into the REST API to take this into account.

The REST API allows all CRUD (Create, Read, Update, and Delete) operations available via PUT   DELETE (and also PATCH ) to be carried out by either passing the method in the request as a query parameter or using a specific header containing the method:

Using the ?_method={HTTP_VEBR}  query parameter method override:

http
POST /wp-json/wp/v2/posts/42?_method=DELETE

Using the X-HTTP-Method-Override header method override:

http
POST /wp-json/wp/v2/posts/42
Host: example.com
X-HTTP-Method-Override: DELETE

This way, ALL insecure WP-API CRUD actions can be achieved using POST requests, and your servers can be securely locked down to POST   GET   HEAD PURGE methods.

On GridPane, making use of the REST API also allows for our 6G/7G firewalls to be enabled with no conflicts, allowing for even further security.

Configuring Nginx to Accept PUT Requests

Below we’ll look at how to active PUT requests on your website, which some plugins sometimes require, for example, some WooCommerce plugins require it for updating a website’s database via API.

If you also require the DELETE and/or PATCH  verbs, please see this article to compare the code blocks in steps 2 and 3 and customise as required:

Making Nginx Accept PUT, DELETE and PATCH verbs

Special Note For 6G and 7G WAF Users

If you use the 6G or 7G WAF you'll also need to create an exclusion for "bad-methods". The easiest way to do this is inside the security tab, or you can run the following command (switching out site.url for your domain name):

gp site site.url 6g -bad-methods off
gp site site.url 7g -bad-methods off
Full documentation can be found here: -
1. 6G WAF
2. 7G WAF

Step 1. SSH into your server

Please see the following article to get started:

Step 2. Create a root level conf file for these verbs

The easiest way to do this is by using nano and adding the file directly on the server like this (make sure to replace example.com with your own domain):

nano /var/www/example.com/nginx/http-verbs-root-context.conf

Now inside the nano editor, add into the file this line using:

dav_methods PUT;

Once complete, CTRL + O, and then Enter save the file, and then exit nano with CTRL+X.

Step 3. Add the verbs to the “more_set_headers” directive

Next, nano to the config file with the following command:

nano /etc/nginx/extra.d/headers-http-context.conf

Add PUT to the more_set_headers allow directive and into the if guard block. The config file should look like this:

more_set_headers "allow: GET, POST, HEAD, PURGE, PUT" always;

if ($request_method !~ ^(GET|POST|HEAD|PURGE|PUT)$) {
  return 405;
}

Once complete, CTRL + O, and then Enter save the file, and then exit nano with CTRL+X.

Step 4. Ensure our changes persist

Next, create the _custom directory and place a copy of the file you just edited in there:

mkdir -p /etc/nginx/extra.d/_custom && cp /etc/nginx/extra.d/headers-http-context.conf /etc/nginx/extra.d/_custom/headers-http-context.conf

This will ensure that our changes persist, and aren’t overwritten at a later date.

Step 5. Check and reload Nginx

Check the Nginx syntax with:

nginx -t

If there are no errors, then run:

gp ngx reload

You’re all set! Now you just need to check your work and ensure that your plugin is working correctly.