harden htaccess

selfmanaged wordpress
2026-04-28 01:21:29 +02:00 · 2026-04-28 01:17:17 +02:00
8 changed files with 44 additions and 78 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,30 +1,30 @@
-# ---
+---
-# kind: pipeline
+kind: pipeline
-# name: deploy to swarm-test.autonomic.zone
+name: deploy to swarm-test.autonomic.zone
-# steps:
+steps:
-#   - name: deployment
+  - name: deployment
-#     image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-#     settings:
+    settings:
-#       host: swarm-test.autonomic.zone
+      host: swarm-test.autonomic.zone
-#       stack: wordpress
+      stack: wordpress
-#       generate_secrets: true
+      generate_secrets: true
-#       purge: true
+      purge: true
-#       deploy_key:
+      deploy_key:
-#         from_secret: drone_ssh_swarm_test
+        from_secret: drone_ssh_swarm_test
-#       networks:
+      networks:
-#         - proxy
+        - proxy
-#     environment:
+    environment:
-#       DOMAIN: wordpress.swarm-test.autonomic.zone
+      DOMAIN: wordpress.swarm-test.autonomic.zone
-#       STACK_NAME: wordpress
+      STACK_NAME: wordpress
-#       LETS_ENCRYPT_ENV: production
+      LETS_ENCRYPT_ENV: production
-#       SECRET_DB_PASSWORD_VERSION: v1
+      SECRET_DB_PASSWORD_VERSION: v1
-#       SECRET_DB_ROOT_PASSWORD_VERSION: v1
+      SECRET_DB_ROOT_PASSWORD_VERSION: v1
-#       PHP_UPLOADS_CONF_VERSION: v1
+      PHP_UPLOADS_CONF_VERSION: v1
-#       ENTRYPOINT_CONF_VERSION: v1
+      ENTRYPOINT_CONF_VERSION: v1
-#       HTACCESS_CONF_VERSION: v1
+      HTACCESS_CONF_VERSION: v1
-# trigger:
+trigger:
-#   branch:
+  branch:
-#     - main
+    - main
 ---
 kind: pipeline
 name: generate recipe catalogue
--- a/.gitignore
+++ b/.gitignore
@ -1,22 +1 @@
 # direnv
 /.envrc
 # Environment files (may contain secrets)
 .env
 # Logs
 *.log
 # OS metadata
 .DS_Store
 Thumbs.db
 # Editor/IDE
 *.swp
 *.swo
 *~
 *.bak
 .idea/
 .vscode/
 .project
 .classpath
--- a/abra.sh
+++ b/abra.sh
@ -1,5 +1,5 @@
 export PHP_UPLOADS_CONF_VERSION=v4
-export ENTRYPOINT_CONF_VERSION=v9
+export ENTRYPOINT_CONF_VERSION=v7
 export ENTRYPOINT_MAILRELAY_CONF_VERSION=v2
 export MSMTP_CONF_VERSION=v4
 export HTACCESS_CONF_VERSION=v3
@ -42,11 +42,11 @@ core_install(){
 }
 enable_auto_updates(){
-  wp "plugin deactivate disable-update-notifications --allow-root"
+  wp plugin deactivate disable-update-notifications --allow-root
-  wp "plugin uninstall disable-update-notifications --allow-root"
+  wp plugin uninstall disable-update-notifications --allow-root
-  wp "option delete disable_notification_setting --allow-root"
+  wp option delete disable_notification_setting --allow-root
-  wp "plugin auto-updates enable --all --allow-root"
+  wp plugin auto-updates enable --all --allow-root
-  wp "theme auto-updates enable --all --allow-root"
+  wp theme auto-updates enable --all --allow-root
 }
 disable_auto_updates(){
--- a/compose.selfmanaged.yml
+++ b/compose.selfmanaged.yml
@ -3,7 +3,7 @@ version: "3.8"
 services:
  app:
-    image: "wordpress:7.0.0"
+    image: "wordpress:latest"
    volumes:
      - "wordpress:/var/www/html/"
    environment:
--- a/compose.yml
+++ b/compose.yml
@ -3,7 +3,7 @@ version: "3.8"
 services:
  app:
-    image: "wordpress:7.0.0"
+    image: "wordpress:6.9.4"
    volumes:
      - "wordpress_content:/var/www/html/wp-content/"
    networks:
@ -62,10 +62,10 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.replacement=https://${DOMAIN}/$${2}"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectregex.permanent=true"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "coop-cloud.${STACK_NAME}.version=3.0.0+7.0.0"
+        - "coop-cloud.${STACK_NAME}.version=2.19.1+6.9.4"
  db:
-    image: "mariadb:12.3"
+    image: "mariadb:12.2"
    volumes:
      - "mariadb:/var/lib/mysql"
    networks:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -42,20 +42,6 @@ define('FORCE_SSL_ADMIN', true );
 define('COOKIE_DOMAIN', \$_SERVER['HTTP_HOST']);"
 {{ end }}
 UPLOADS_HTACCESS=/var/www/html/wp-content/uploads/.htaccess
 if [ ! -f "$UPLOADS_HTACCESS" ]; then
    mkdir -p /var/www/html/wp-content/uploads
    cat > "$UPLOADS_HTACCESS" <<'EOF'
 # Prevent PHP execution in uploads directory
 <FilesMatch "\.(?i:php|phtml|phar)$">
    Require all denied
 </FilesMatch>
 EOF
 fi
 chown -R --from=root:root www-data:www-data /var/www/html/wp-content/
 if [ -n "$@" ]; then
 	"$@"
 fi
--- a/htaccess.tmpl
+++ b/htaccess.tmpl
@ -3,6 +3,13 @@
    Require all denied
 </FilesMatch>
 # Prevent PHP execution in uploads directory
 <Directory /var/www/html/wp-content/uploads>
    <FilesMatch "\.(?i:php|phtml|phar)$">
        Require all denied
    </FilesMatch>
 </Directory>
 {{ if eq (env "MULTISITE") "" -}}
 # BEGIN WordPress
--- a/release/3.0.0+7.0.0
+++ b/release/3.0.0+7.0.0
@ -1,6 +0,0 @@
 - WordPress upgraded from 6.9.4 to 7.0 (major! test before deploying)
 - MariaDB upgraded from 10.x to 11.4 (major! SSL now enabled by default)
 - ENTRYPOINT_CONF_VERSION bumped to v9
 - Breaking: MariaDB 11.4 enables SSL by default — if clients don't support SSL, add --disable-ssl to db command
 - Breaking: WordPress 7.0 introduces new AI features and admin theme changes
 - Backup database and files before upgrading
Author	SHA1	Message	Date
Moritz	4b81322e4f	harden htaccess	2026-04-28 01:21:29 +02:00
Moritz	563c691172	selfmanaged wordpress	2026-04-28 01:17:17 +02:00