Recently @werdna submitted a patch that changed the configuration of Elasticsearch to make it slightly more resistant to external attacks. His motivation for this is that he is using the MediaWiki-Vagrant Puppet code to operate a testing host that is exposed to the Internet rather than a local VM on his laptop or even a VM in Labs that is behind a series of proxies.
This is not the first time I've heard of someone using MediaWiki-Vagrant to setup a public or semi-public server for either shared testing or to run a "real" wiki. With the current state of configuration provided by our Puppet code this is a really really bad idea if additional measures aren't taken to secure the host. By design MediaWiki-Vagrant is configuring the VM to be developer friendly which in the current case means no host firewall, many well-known passwords, and extremely verbose logging that can and will leak information about the configuration of the host.
If this use case is going to be promoted (or even not actively discouraged) some attention should be given to providing a hardening guide and possibly even additional Puppet roles that can alter the default configuration to be less likely to lead to immediate compromise of the host.