# MENFP.GOUV.HT - Ministry of Education (Haiti) ## WordPress REST API Dump Report **Date:** 2026-03-04 **Target:** menfp.gouv.ht --- ## Architecture Summary menfp.gouv.ht is **NOT a WordPress site**. It is a custom Angular single-page application served by Node.js/Express behind nginx. | Component | Technology | |-----------|-----------| | **Web Server** | nginx (reverse proxy) | | **Backend** | Node.js / Express | | **Frontend** | Angular (compiled SPA) | | **Author** | John Peter THOMAS (from meta tag) | | **Analytics** | Google Analytics UA-168251399-1 | --- ## Technical Details ### HTTP Headers ``` Server: nginx X-Powered-By: Express Access-Control-Allow-Origin: * Content-Type: text/html; charset=UTF-8 Cache-Control: public, max-age=0 Last-Modified: Sun, 16 Nov 2025 00:21:24 GMT ETag: W/"10ce-19a8a09b7a0" ``` ### Frontend - **Framework:** Angular (compiled with hash-based filenames) - **JS bundles:** runtime.3908b1bf85acdecc.js, polyfills.38cd99123ead5a62.js, main.7dff60e359007406.js - **CSS:** styles.658db5c5ff14b8dd.css - **Fonts:** Roboto (embedded via @font-face) - **Root component:** `` (Angular bootstrap) - **Last modified:** 2025-11-16 (over 3 months old) ### HTTP vs HTTPS - HTTP (port 80): Connection timeout (10s) - **HTTP not available/responding** - HTTPS (port 443): Working (200 OK) --- ## WordPress REST API Checks - ALL NEGATIVE Every WordPress-specific endpoint returns **404 Not Found** with Express error pages: | Endpoint | Status | Response | |----------|--------|----------| | /wp-json/ | 404 | `Cannot GET /wp-json/` | | /wp-json/wp/v2/users | 404 | `Cannot GET /wp-json/wp/v2/users` | | /wp-content/ | 404 | `Cannot GET /wp-content/` | | /wp-login.php | 404 | `Cannot GET /wp-login.php` | | /xmlrpc.php | 404 | `Cannot GET /xmlrpc.php` | | /readme.html | 404 | `Cannot GET /readme.html` | | /robots.txt | 404 | `Cannot GET /robots.txt` | | /wp-sitemap.xml | 404 | `Cannot GET /wp-sitemap.xml` | | /sitemap.xml | 404 | `Cannot GET /sitemap.xml` | | /api | 404 | `Cannot GET /api` | | /api/posts | 404 | `Cannot GET /api/posts` | | /api/pages | 404 | `Cannot GET /api/pages` | ### Sensitive File Probes | Path | Status | Notes | |------|--------|-------| | /wp-config.php.bak | **403 Forbidden** | nginx blocking at server level | | /wp-config.php.old | 404 | Not found | | /wp-config.php.save | 404 | Not found | | /wp-config.php.swp | 404 | Not found | | /wp-config.php~ | 404 | Not found | | /wp-config.txt | 404 | Not found | | /web.config | **403 Forbidden** | nginx blocking at server level | --- ## Security Observations ### Positive - Not WordPress -- eliminates entire class of WP-specific vulnerabilities - No directory listing - nginx blocks access to backup/config file extensions (403 on .bak, web.config) - HTTPS enforced (HTTP times out) ### Concerns - **X-Powered-By: Express** header reveals backend technology - **Access-Control-Allow-Origin: \*** -- wide open CORS policy (any origin can make requests) - **No robots.txt** -- no crawler guidance - **No Content-Security-Policy** on main pages (only on error pages: `default-src 'none'`) - **Google Analytics ID exposed:** UA-168251399-1 (can be used for cross-site correlation) - **Developer name exposed** in meta author tag: John Peter THOMAS - **Site appears stale** -- last modified 2025-11-16 (3+ months old) - **HTTP port 80 not responding** -- potential misconfiguration - **wp-config.php.bak returns 403** instead of 404 -- suggests nginx has specific rules for .bak files, which could indicate a WordPress installation existed previously or exists in a different vhost on the same server --- ## Conclusion menfp.gouv.ht has zero WordPress attack surface. It is a pure Angular SPA with an Express/Node.js backend behind nginx. The WordPress REST API dump yields no data. The site appears to be a relatively static government portal with minimal backend API surface exposed. The 403 response on `/wp-config.php.bak` and `/web.config` is interesting -- it suggests nginx has blanket rules blocking access to common sensitive file extensions, which could indicate shared hosting or a security-conscious server configuration. This does NOT necessarily mean WordPress was ever installed on this domain. --- ## Files Saved - This report (MENFP-GOUV.md) -- no API data to dump as site is not WordPress