# IGF.GOUV.HT - Inspector General of Finance (Haiti)
## WordPress REST API Dump Report
**Date:** 2026-03-04
**Target:** igf.gouv.ht / admin.igf.gouv.ht

---

## Architecture Summary

igf.gouv.ht uses a **headless CMS** architecture:

| Component | Technology | Host |
|-----------|-----------|------|
| **Frontend** (igf.gouv.ht) | Next.js (React) | Vercel (iad1 region) |
| **Backend CMS** (admin.igf.gouv.ht) | WordPress 6.x (PHP 8.3.23) | Hostinger (LiteSpeed) |

The public-facing site at `igf.gouv.ht` is a Next.js SPA deployed on Vercel. It fetches content from the WordPress backend at `admin.igf.gouv.ht`. The frontend CSP header confirms this:
```
connect-src 'self' https://admin.igf.gouv.ht
```

### Frontend (igf.gouv.ht)
- **Server:** Vercel
- **Framework:** Next.js (Vary headers: rsc, next-router-state-tree, etc.)
- **Security:** Vercel Security Checkpoint (JS challenge) blocks all non-browser requests
- **HSTS:** max-age=63072000; includeSubDomains; preload
- **CSP:** Strict policy with upgrade-insecure-requests
- **All WP paths** (wp-json, wp-content, wp-login.php, xmlrpc.php, robots.txt): Return 403 Vercel challenge or deny

### Backend CMS (admin.igf.gouv.ht)
- **Server:** LiteSpeed on Hostinger (hpanel)
- **PHP:** 8.3.23
- **WordPress:** Backend-IGF (headless mode)
- **X-Robots-Tag:** noindex, nofollow (entire backend hidden from search engines)
- **LiteSpeed Cache:** Active (hit/miss)
- **Caching:** 604800s (7 days) for API root

---

## WordPress REST API Findings (admin.igf.gouv.ht)

### API Root
- **URL:** https://admin.igf.gouv.ht/wp-json/
- **Status:** OPEN (200 OK, full namespace listing)
- **Site Name:** Backend-IGF

### Detected Plugins (via API namespaces)
| Namespace | Plugin |
|-----------|--------|
| hostinger-easy-onboarding/v1 | Hostinger Easy Onboarding |
| litespeed/v1, litespeed/v3 | LiteSpeed Cache |
| wordfence/v1 | Wordfence Security |
| hostinger-ai-assistant/v1 | Hostinger AI Assistant |
| hostinger-amplitude/v1 | Hostinger Amplitude |
| hostinger-reach/v1 | Hostinger Reach |
| hostinger-tools-plugin/v1 | Hostinger Tools Plugin |
| elementor-hello-elementor/v1 | Elementor Hello Theme |
| wp-abilities/v1 | WP Abilities |
| mcp | MCP (unknown) |
| wp/v2 | WordPress Core |
| wp-site-health/v1 | WordPress Site Health |
| wp-block-editor/v1 | WordPress Block Editor |

### Users
- **Endpoint:** /wp-json/wp/v2/users
- **Status:** BLOCKED (401 - "Sorry, you are not allowed to list users")
- **/wp-json/wp/v2/users/1:** Returns 404 "Invalid user ID" (may indicate no user ID 1, or Wordfence blocking)
- **Author archive enum (/?author=N):** All return 404 (Wordfence likely blocking)
- **Conclusion:** User enumeration is blocked by Wordfence

### Posts
- **Total:** 1 post
- **Content:** Default "Hello world!" post (ID: 1, dated 2026-01-21)
- **Author ID:** 1
- **Status:** Published
- **Conclusion:** CMS is mostly used for media/assets, not blog posts

### Pages
- **Total:** 0 pages
- **Conclusion:** No WordPress pages published (all content managed via Next.js frontend)

### Media
- **Total:** 120 items (99 on page 1, 20 on page 2 + API rounding)
- **Date Range:** 2026-01-21 to 2026-02-16
- **Types:** Primarily JPEG images
- **Content:** Government/institutional photos (ENAF formation events, IGF building, staff, logos)
- **Upload Path:** /wp-content/uploads/2026/01/ and /wp-content/uploads/2026/02/
- **Full URL list saved to:** media-urls.txt (119 entries)

### Categories
- **Total:** 1 (Uncategorized, default)

### Tags
- **Total:** 0

### robots.txt (admin.igf.gouv.ht)
```
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
```

### wp-sitemap.xml
- Not found (returns 404 page)

### wp-login.php
- **Status:** 200 (login page accessible)

### xmlrpc.php
- **Status:** 405 Method Not Allowed (POST-only, blocked for GET)

### wp-content/uploads/
- **Status:** 403 Forbidden (directory listing disabled)

---

## Security Assessment

### Positive
- Wordfence installed and actively blocking user enumeration
- User listing via REST API is properly restricted (401)
- Author archive enumeration returns 404
- Directory listing disabled on /wp-content/uploads/
- Frontend uses strong CSP and HSTS headers
- Backend set to noindex/nofollow (not indexed by search engines)
- wp-config.php backup files return 403 (Vercel deny rule on frontend)

### Concerns
- **Full API namespace disclosure** reveals exact plugin stack (Wordfence, LiteSpeed, Elementor, Hostinger tools)
- **120 media files publicly accessible** via REST API with full URLs - no authentication required
- **wp-login.php is accessible** on admin subdomain (no IP restriction or 2FA visible)
- **xmlrpc.php exists** (405 but may accept POST methods for brute force)
- **PHP version disclosed** in X-Powered-By header (8.3.23)
- **Hosting platform disclosed** via headers: `platform: hostinger`, `panel: hpanel`
- **LiteSpeed Cache version** potentially discoverable

---

## Files Saved
- `api-root.json` - Full WordPress API root response
- `posts-page1.json` - All posts (1 post)
- `media-page1.json` - Media items page 1 (99 items)
- `media-page2.json` - Media items page 2 (20 items)
- `categories.json` - All categories (1 category)
- `media-urls.txt` - All 119 media URLs extracted