Clarify and/or correct section about SSRF

[johnbillion]

HTTP requests issued by WordPress are filtered to prevent access to loopback and private IP addresses. Additionally, access is only allowed to certain standard HTTP ports.

I don't believe this is accurate. Port access configuration is outside of the control of WordPress.

[iandunn]

I assumed that was in reference to outbound requests, and specifically to the reject_unsafe_urls param of wp_remote_{get|post}. That defaults to false, though, so I guess that wouldn't make sense.

If it does refer to inbound requests, maybe it's an artifact from the original WordPress.com white paper?

[iandunn]

Ah, I bet it was referring to wp_safe_remote_get() and wp_safe_remote_post(), since reject_unsafe_urls is true for them.

[johnbillion]

Ah yes, I think you're right. Needs some clarification.

[iandunn]

@johnbillion, how does 929d667 look to you?

Overall, the white paper seems pretty light on low-level details, which I'm assuming was intentional (perhaps to avoid boring/overwhelming non-technical readers?). So maybe the references to specific functions and ports should be removed?