harden htaccess

selfmanaged wordpress
2026-04-28 01:21:29 +02:00 · 2026-04-28 01:17:17 +02:00
4 changed files with 15 additions and 22 deletions
--- a/abra.sh
+++ b/abra.sh
@ -1,5 +1,5 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v8
+export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
 export HTACCESS_CONF_VERSION=v3
@ -42,11 +42,11 @@ core_install(){
 }

 enable_auto_updates(){
-  wp "plugin deactivate disable-update-notifications --allow-root"
-  wp "plugin uninstall disable-update-notifications --allow-root"
-  wp "option delete disable_notification_setting --allow-root"
-  wp "plugin auto-updates enable --all --allow-root"
-  wp "theme auto-updates enable --all --allow-root"
+  wp plugin deactivate disable-update-notifications --allow-root
+  wp plugin uninstall disable-update-notifications --allow-root
+  wp option delete disable_notification_setting --allow-root
+  wp plugin auto-updates enable --all --allow-root
+  wp theme auto-updates enable --all --allow-root
 }

 disable_auto_updates(){
--- a/compose.yml
+++ b/compose.yml
@ -62,10 +62,10 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "coop-cloud.${STACK_NAME}.version=2.19.2+6.9.4"
+        - "coop-cloud.${STACK_NAME}.version=2.19.1+6.9.4"

  db:
-    image: "mariadb:12.3"
+    image: "mariadb:12.2"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -42,20 +42,6 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}

-
-UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
-if [ ! -f "$UPLOADS_HTACCESS" ]; then
-    mkdir -p /var/www/html/wp-content/uploads
-    cat > "$UPLOADS_HTACCESS" <<'EOF'
-# Prevent PHP execution in uploads directory
-<FilesMatch "\.(?i:php|phtml|phar)$">
-    Require all denied
-</FilesMatch>
-EOF
-fi
-
-chown -R www-data:www-data /var/www/html/wp-content/uploads/
-
 if [ -n "$@" ]; then
 	"$@"
 fi
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@ -3,6 +3,13 @@
    Require all denied
 </FilesMatch>

+# Prevent PHP execution in uploads directory
+<Directory /var/www/html/wp-content/uploads>
+    <FilesMatch "\.(?i:php|phtml|phar)$">
+        Require all denied
+    </FilesMatch>
+</Directory>
+
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
Author	SHA1	Message	Date
Moritz	4b81322e4f	harden htaccess	2026-04-28 01:21:29 +02:00
Moritz	563c691172	selfmanaged wordpress	2026-04-28 01:17:17 +02:00