🛡️ Sentinel: [CRITICAL] Fix hardcoded XML-RPC secret bypass

[Snider]

🚨 Severity: CRITICAL
💡 Vulnerability: A hardcoded token (xrpc-9f8e7d6c5b4a) was used in server-php/config/conf.d/wordpress.conf to bypass the XML-RPC block.
🎯 Impact: Anyone who knows or discovers this hardcoded string could bypass intended blocks and interact with /xmlrpc.php, potentially enabling DDoS amplification attacks, brute-force attacks, or other exploits against the WordPress instance.
🔧 Fix: Replaced the conditional string matching with an unconditional deny all; for the /xmlrpc.php location. Also disabled access_log and log_not_found for this block as per memory instructions. Added a journal entry to .jules/sentinel.md documenting this learning about hardcoded secrets in infrastructure configuration files.
✅ Verification: Verify that /xmlrpc.php contains a deny all; directive and does not have the $arg_token logic.

---

PR created automatically by Jules for task 7438220394619985680 started by @Snider

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.