Hi,
I'm writing a WordPress Plugin which connects to an external database (which has RESTful HTTP capabilities). This database is not public to the internet and I would prefer to use OpenZiti to establish the communication between the PHP server side part of WordPress and this database (to keep it darkened). Since this WordPress instance is hosted by an external provider, there is no access to install any other software instead of WordPress Plugins.
Do you have any suggestions if my task can be accomplished in any way? Or do I have to move the WordPress instance on a server which is managed by myself?
Thanks in advance!
Hi @chrda81,
I don't know much about WordPress. It sounds like it's PHP-based? Are WordPress plugins allowed to run python or access a native library? I kind of doubt it but I don't know.
The approaches that would work here are
- if you can load a C or python (or c# or java) library in the plugin, application-embedded zero trust is the way to go. Then you could totally do this. I dunno enough about WordPress, but if it's PHP based, I expect this is not allowed.
- if WordPress allowed you to use JDBC (being based on PHP, I'd doubut it). Then you could use ZDBC. That would/should work fine, but I expect that's not going to work...
- install a tunneler on the word press box - but since it's cloud hosted and won't allow for anything to be installed, that won't work.
- move the word press box and host it yourself, like you're thinking
I can't think of any other approaches at this time, if something comes to mind I'll reply back.
Good list, @TheLumberjack. Another thought is to start with zrok frontdoor. Your external database would be protected by OpenZiti, but accessible from a hardened, public reverse proxy. You can optionally add in OAuth. There are also zrok SDKs that wrap the OpenZiti SDKs for ease of use with zrok, which would support the fully private model (accessible over OpenZiti without going through the zrok frondoor reverse proxy), but these are subject to the same caveats listed above We currently have wrappers for Golang and Python with additional languages coming soon..
Thanks for your input @TheLumberjack. Yes, WordPress is PHP-based and there is a separation between server-side and client-side code. As far as I understand does the client-side gets it re-hydrated PHP code (html templates inserted with values from the backend) delivered by the server-side. The client-side can also be pure JavaScript, like React or Vue which can (RESTful) fetch data from the server-side (before?) it is delivered to the browser.
So I don't know, if a JavaScript based approach on client-side would work, but it is a better design to handle the database communication the server-side, so authentication stuff (identity files, etc.) isn't exposed and called by the clients. I don't know if the server-side can call Python scripts and if that might be an option. I will try that in my local environment, but I expect the hoster hasn't installed any Python on the provided WordPress instance. Is there a SDK for PHP on the roadmap?
Hi @smilindave26,
on the zrok frontdoor site can be found the phrase "You need a free account to use zrok frontdoor." Is that true, or can it also be self-hosted without that (preferably via docker)?
Yes, you can self-host: Self Hosting | Zrok.
Note that the free service includes a WAF configured for things like script injection defense, SQL injection defense, large payload defense. WAF functionality isn't covered for self-hosting.