chore(deps): update wordpress docker tag to v7

chore: publish 2.19.2+6.9.4 release
harden htaccess
2026-05-22 00:34:30 +00:00 · 2026-04-28 02:25:26 +02:00 · 2026-04-28 01:57:52 +02:00 · 2026-04-28 01:54:50 +02:00
6 changed files with 60 additions and 8 deletions
--- a/.env.sample
+++ b/.env.sample
@ -28,6 +28,9 @@ LETS_ENCRYPT_ENV=production
 # PHP composer for plugin installation
 #COMPOSE_FILE="$COMPOSE_FILE:compose.composer.yml"

+# Self managed Wordpress for automatic updates
+#COMPOSE_FILE="$COMPOSE_FILE:compose.selfmanaged.yml"
+
 #WORDPRESS_DEBUG=true

 ## Additional extensions
@ -81,7 +84,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 # 🚩🚩 dangerous, use only for development sites!
 #CORS_ALLOW_ALL=1

-
 # FTP
 #COMPOSE_FILE="$COMPOSE_FILE:compose.ftp.yml"
 #SECRET_FTP_PASS_VERSION=v1
--- a/abra.sh
+++ b/abra.sh
@ -1,8 +1,8 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v7
+export ENTRYPOINT_CONF_VERSION=v8
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
-export HTACCESS_CONF_VERSION=v2
+export HTACCESS_CONF_VERSION=v3
 export USERS_CONF_VERSION=v1

 wp() {
@ -31,8 +31,6 @@ core_install(){
    wp "language core install $LOCALE"
    wp "site switch-language $LOCALE"
    wp "rewrite structure '/%year%/%monthnum%/%day%/%postname%/'"
-    wp "plugin install --activate disable-update-notifications"
-    wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
    if [ -n "$DEFAULT_USER_ROLE" ]
    then
        wp "option set default_role $DEFAULT_USER_ROLE"
@ -40,7 +38,20 @@ core_install(){
        wp "option set default_role subscriber"
    fi
    wp "theme auto-updates enable --all"
-    wp 'plugin auto-updates enable --all' || exit 0
+    wp 'plugin auto-updates enable --all' || true
+}
+
+enable_auto_updates(){
+  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp "option delete disable_notification_setting --allow-root"
+  wp "plugin auto-updates enable --all --allow-root"
+  wp "theme auto-updates enable --all --allow-root"
+}
+
+disable_auto_updates(){
+  wp "plugin install --activate disable-update-notifications"
+  wp "option update disable_notification_setting --format=json '{\"dpun_setting\":false,\"dwtu_setting\":false,\"dwcun_setting\":true}'"
 }

 set_authentik(){
--- a/compose.selfmanaged.yml
+++ b/compose.selfmanaged.yml
@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: "wordpress:latest"
+    volumes:
+      - "wordpress:/var/www/html/"
+    environment:
+      WORDPRESS_CONFIG_EXTRA: |
+        define( 'AUTOMATIC_UPDATER_DISABLED', false );
+        define( 'WP_AUTO_UPDATE_CORE', true );
+        define( 'FS_METHOD', 'direct' );
+        ${WORDPRESS_CONFIG_EXTRA}
+
+  ftp:
+    volumes:
+      - "wordpress:/home/ftp_user/"
+
+volumes:
+  wordpress:
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: "wordpress:6.9.4"
+    image: "wordpress:7.0.0"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
@ -62,7 +62,7 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "coop-cloud.${STACK_NAME}.version=2.19.1+6.9.4"
+        - "coop-cloud.${STACK_NAME}.version=2.19.2+6.9.4"

  db:
    image: "mariadb:12.2"
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -42,6 +42,19 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}

+
+UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
+if [ ! -f "$UPLOADS_HTACCESS" ]; then
+    mkdir -p /var/www/html/wp-content/uploads
+    cat > "$UPLOADS_HTACCESS" <<'EOF'
+# Prevent PHP execution in uploads directory
+<FilesMatch "\.(?i:php|phtml|phar)$">
+    Require all denied
+</FilesMatch>
+EOF
+    chown www-data:www-data "$UPLOADS_HTACCESS"
+fi
+
 if [ -n "$@" ]; then
 	"$@"
 fi
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@ -1,3 +1,8 @@
+# Protect sensitive files from direct access
+<FilesMatch "^(wp-config\.php|\.htaccess|\.htpasswd|readme\.html|license\.txt)$">
+    Require all denied
+</FilesMatch>
+
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
Author	SHA1	Message	Date
Renovate Bot	0e229168fc	chore(deps): update wordpress docker tag to v7 Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-22 00:34:30 +00:00
Moritz	332ab0b97d	chore: publish 2.19.2+6.9.4 release Some checks failed continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build is failing Details	2026-04-28 02:25:26 +02:00
Moritz	3b598e82dd	harden htaccess	2026-04-28 01:57:52 +02:00
Moritz	8e81f3f81c	selfmanaged wordpress	2026-04-28 01:54:50 +02:00