Publishing static pages as private in S3

When I publish my site to S3, even though my bucket has an ACL which makes it private, the objects are pushed there with public access enabled. Can I force WP2Static somehow to not do this, so that the objects stay private?

I’m no developer but it seems like this is the cause:


    $put_data = [
        'Bucket' => Controller::getValue( 's3Bucket' ),
        'ACL'    => 'public-read',

If that can be an option we set for deploying rather than hard-coded, that would be amazing. Thanks!

Assuming v7, the object ACL is hard-coded. It would be pretty easy to add it as an option though. Just out of curiosity, why is this needed?

Thanks - I’d consider adding it myself, I can code A LITTLE but it would take me all day to figure out how to do so then how to submit a patch back to you :slight_smile:

This is for a site which is only to be accessed via CloudFront, which has a WAF configured in front of it. We don’t want anyone stumbling across the S3 bucket and accessing directly. ACL is configured on the bucket to only allow CloudFront to access it and the objects in it, but that hard-set ACL overrides the bucket policy.

1 Like

Interesting. I’ll make a pull request tomorrow. I think that private and public-read are the only ACLs that make sense for WP2Static.

1 Like

That would be perfect. Thanks John!

Issue | PR

1 Like

Thanks @epicpilgrim for reporting and @john-shaffer for the fix! Have merged that in, but I’m still in V6 land (where a similar fix will end up), so there’s no new publicly announced builds just yet. @epicpilgrim are you using the GitHub repositories or will need some new installers to use this?

1 Like

Thanks @leonstafford. I’m running in WP Engine and installed using their plugin manager. If you have a rough idea of timeframe then I’ll decide whether to wait or to go ahead and manually build and install that way! Really appreciate the help.

Hi @epicpilgrim, probably best to build yourself right now, if you don’t mind:

  • clone each repo (core wp2static and wp2static-addon-s3)
  • cd into each dir
  • composer install
  • composer build INSTALLERNAME

If you just clone the repo into your plugins directory, the build step can be skipped, but there are a cpl things now that cleanup/prepare when deactivating/activating plugin, so build may be safest today.

Sorry, re-read about it being in WP-Engine, so definitely cloning to your local machine and running the build command, then uploading via WordPress -> Plugins > Add new

If you hit a 2MB max file upload limit, may need to increase that in WP Engine.

(I just saw that @john-shaffer’s code here fixes a lot of the issues with using the code in-place, but still for WP-Engine, unless you want to SSH in and git clone, etc within the server, build still probably easier here)