diff --git a/.devops/db/wp_init_db.gz b/.devops/db/wp_init_db.gz index da5d5d4..022298b 100644 Binary files a/.devops/db/wp_init_db.gz and b/.devops/db/wp_init_db.gz differ diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..bd35b59 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,15 @@ +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[*.php] +indent_size = 4 + +[*.md] +trim_trailing_whitespace = false diff --git a/.editorconfig-checker.json b/.editorconfig-checker.json new file mode 100644 index 0000000..ac0a02d --- /dev/null +++ b/.editorconfig-checker.json @@ -0,0 +1,26 @@ +{ + "Verbose": false, + "Debug": false, + "IgnoreDefaults": false, + "SpacesAfterTabs": false, + "NoColor": false, + "Exclude": [ + ".git/", + "vendor/", + "web/wp/", + "web/app/", + "web/app/themes/", + "web/app/plugins/", + "web/app/languages" + ], + "AllowedContentTypes": [], + "PassedFiles": [], + "Disable": { + "EndOfLine": false, + "Indentation": false, + "IndentSize": false, + "InsertFinalNewline": false, + "TrimTrailingWhitespace": false, + "MaxLineLength": false + } +} diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..7b91bd0 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +export WP_PW=$(gopass show hvg/BLOG_ROOT_PWD) diff --git a/.gitignore b/.gitignore index f6ef7a5..4353876 100644 --- a/.gitignore +++ b/.gitignore @@ -26,6 +26,7 @@ web/.htaccess .env.* *.env !.env.example +!.envrc # Heroku bin .heroku/* diff --git a/.lando.yml b/.lando.yml index 78d49af..c43a995 100644 --- a/.lando.yml +++ b/.lando.yml @@ -9,7 +9,7 @@ config: via: nginx database: mariadb:11.4.5 webroot: web - xdebug: true + xdebug: false config: php: config/php.ini vhosts: config/lando.conf.tpl diff --git a/config/app/base.php b/config/app/base.php index 52d3bd8..89cb54f 100644 --- a/config/app/base.php +++ b/config/app/base.php @@ -7,7 +7,6 @@ $env_keys = array(); # App Base environment keys array_push($env_keys, 'BLOG_SLUG'); -array_push($env_keys, 'USE_CDN'); array_push($env_keys, 'GA_CODE'); array_push($env_keys, 'GTM_CODE'); array_push($env_keys, 'FORCE_SSL_ADMIN'); diff --git a/config/lando.conf.tpl b/config/lando.conf.tpl index 9046698..f7d42ca 100644 --- a/config/lando.conf.tpl +++ b/config/lando.conf.tpl @@ -30,4 +30,4 @@ server { fastcgi_read_timeout 300s; include fastcgi_params; } -} \ No newline at end of file +} diff --git a/config/php.ini b/config/php.ini index e69de29..398803c 100644 --- a/config/php.ini +++ b/config/php.ini @@ -0,0 +1,4 @@ +upload_max_filesize=1024M +post_max_size=1024M +max_execution_time=300 +max_input_time=300 diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index 54dbabb..0000000 --- a/nginx.conf +++ /dev/null @@ -1,333 +0,0 @@ -# configuration file /opt/bitnami/nginx/conf/nginx.conf: -# Based on https://www.nginx.com/resources/wiki/start/topics/examples/full/#nginx-conf -user daemon daemon; ## Default: nobody - -worker_processes auto; -error_log "/opt/bitnami/nginx/logs/error.log"; -pid "/opt/bitnami/nginx/tmp/nginx.pid"; - -events { - worker_connections 1024; -} - -http { - include mime.types; - - default_type application/octet-stream; - - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - - client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2; - proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2; - fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2; - scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2; - uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2; - - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log "/opt/bitnami/nginx/logs/access.log"; - - sendfile on; - - tcp_nopush on; - tcp_nodelay off; - - keepalive_timeout 65; - gzip on; - gzip_http_version 1.0; - gzip_comp_level 2; - gzip_proxied any; - gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - map $http_x_forwarded_proto $lando_https { - default ''; - https on; - } - - map $http_x_forwarded_proto $http_user_agent_https { - default ''; - https ON; - } - - client_max_body_size 80M; - server_tokens off; - include "/opt/bitnami/nginx/conf/vhosts/*.conf"; - - # HTTP Server - server { - # port to listen on. Can also be set to an IP:PORT - listen 80; - - location /status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -} - -# configuration file /opt/bitnami/nginx/conf/mime.types: - -types { - text/html html htm shtml; - text/css css; - text/xml xml; - image/gif gif; - image/jpeg jpeg jpg; - application/javascript js; - application/atom+xml atom; - application/rss+xml rss; - - text/mathml mml; - text/plain txt; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/x-component htc; - - image/avif avif; - image/png png; - image/svg+xml svg svgz; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/webp webp; - image/x-icon ico; - image/x-jng jng; - image/x-ms-bmp bmp; - - font/woff woff; - font/woff2 woff2; - - application/java-archive jar war ear; - application/json json; - application/mac-binhex40 hqx; - application/msword doc; - application/pdf pdf; - application/postscript ps eps ai; - application/rtf rtf; - application/vnd.apple.mpegurl m3u8; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/vnd.ms-excel xls; - application/vnd.ms-fontobject eot; - application/vnd.ms-powerpoint ppt; - application/vnd.oasis.opendocument.graphics odg; - application/vnd.oasis.opendocument.presentation odp; - application/vnd.oasis.opendocument.spreadsheet ods; - application/vnd.oasis.opendocument.text odt; - application/vnd.openxmlformats-officedocument.presentationml.presentation - pptx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - xlsx; - application/vnd.openxmlformats-officedocument.wordprocessingml.document - docx; - application/vnd.wap.wmlc wmlc; - application/wasm wasm; - application/x-7z-compressed 7z; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xspf+xml xspf; - application/zip zip; - - application/octet-stream bin exe dll; - application/octet-stream deb; - application/octet-stream dmg; - application/octet-stream iso img; - application/octet-stream msi msp msm; - - audio/midi mid midi kar; - audio/mpeg mp3; - audio/ogg ogg; - audio/x-m4a m4a; - audio/x-realaudio ra; - - video/3gpp 3gpp 3gp; - video/mp2t ts; - video/mp4 mp4; - video/mpeg mpeg mpg; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-m4v m4v; - video/x-mng mng; - video/x-ms-asf asx asf; - video/x-ms-wmv wmv; - video/x-msvideo avi; -} - -# configuration file /opt/bitnami/nginx/conf/vhosts/lando.conf: -server { - listen 443 ssl; - listen 80; - listen [::]:80 default ipv6only=on; - server_name localhost; - - ssl_certificate /certs/cert.crt; - ssl_certificate_key /certs/cert.key; - - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 5m; - - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - root "/app/web"; - - include /app/config/nginx.conf; - - index index.php index.html index.htm; - - location ~ \.php$ { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass fpm:9000; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_buffers 256 128k; - fastcgi_connect_timeout 300s; - fastcgi_send_timeout 300s; - fastcgi_read_timeout 300s; - include fastcgi_params; - } -} -# configuration file /app/config/nginx.conf: -server_tokens off; - -index index.php index.html; -charset UTF-8; -default_type text/html; - -gzip on; -gzip_disable "msie6"; - -gzip_vary on; -gzip_proxied any; -gzip_comp_level 6; -gzip_buffers 16 8k; -gzip_min_length 10; -gzip_http_version 1.1; -gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg; - -client_max_body_size 1024M; - -include /app/config/nginx/*.conf; - -# Force installation to /wp-admin/install.php so siteurl is always correct -rewrite ^/wp/wp-admin/install.php(.*) $scheme://$http_host/wp-admin/install.php permanent; - -# Rewrite rules to allow for an application-like wordpress directory structure -if (!-e $request_filename) { - rewrite ^/wp-admin$ $scheme://$http_host/wp-admin/ permanent; - rewrite ^/(wp-.*.php)$ /wp/$1 last; - rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last; -} - -# Enable XML-RPC for WordPress -rewrite ^/(xmlrpc\.php)$ /wp/$1 last; - -# Hide often probed WordPress file so that finding out the WordPress install -# and version would not be too easy -location /wp/readme.html { - return 404; -} - -location = /favicon.ico { - log_not_found off; - access_log off; -} - -location = /robots.txt { - allow all; - log_not_found off; - access_log off; -} - -location = /ads.txt { - allow all; - log_not_found off; - access_log off; -} - -# Block direct access to WooCommerce digital downloads. They can be accessed -# via the X-Accel-Redirect mechanism for fast and protected downloads. -location /wp/wp-content/uploads/woocommerce_uploads/ { - internal; -} - -# Deny access to any other dot file -# ~ matches using regular expression all requests that contain '/.' -# anywhere in the URL, eg '/.htaccess' and '/wp-content/.htpasswd'. -# This regex will override all non-regex rules, except ^~ rules due -# how to Nginx location parsing and priorities works. -location ~ \/\. { - deny all; -} - -location ~* ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { - try_files $uri =404; - expires max; - add_header Pragma "public"; - add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - access_log off; -} - -# Use actual file if exists, otherwise pass request to WordPress -# Last rule: match all requests (= URLs that start with /) -location / { - try_files $uri $uri/ /index.php?$args; -} - -# If front page is requested, skip all other regex and rewrite rules and -# pass request directly to WordPress (= URLS that are exactly /) -# Tip from https://www.scalescale.com/tips/nginx/nginx-location-directive/ -location = / { - try_files $uri $uri/ /index.php?$args; -} - -# configuration file /opt/bitnami/nginx/conf/fastcgi_params: -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param PATH_INFO $fastcgi_path_info; -fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -fastcgi_param HTTPS $lando_https if_not_empty; -fastcgi_param HTTP_USER_AGENT_HTTPS $http_user_agent_https if_not_empty; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; - diff --git a/web/ads.txt b/web/ads.txt new file mode 100644 index 0000000..db9e54a --- /dev/null +++ b/web/ads.txt @@ -0,0 +1,6 @@ +rubiconproject.com, 15714, DIRECT, 0bfd66d529a55807 +rubiconproject.com, 13808, DIRECT, 0bfd66d529a55807 +google.com, pub-9423445092945252, DIRECT +google.com, pub-1094437899690041, DIRECT +rubiconproject.com, 209908, DIRECT, 0bfd66d529a55807 +adform.com, 2587, DIRECT diff --git a/web/app/mu-plugins/app-mu.php b/web/app/mu-plugins/app-mu.php index 3ea5767..87629a6 100644 --- a/web/app/mu-plugins/app-mu.php +++ b/web/app/mu-plugins/app-mu.php @@ -23,8 +23,8 @@ class AppMuPlugin public function __construct() { // Define constants - $this->define_constants(); - + $this->define_constants(); + if (defined('ERROR_LOG_TO_STDOUT')) { if (ERROR_LOG_TO_STDOUT) { // WP error log to stdout @@ -35,7 +35,7 @@ class AppMuPlugin // Filter S3 Uploads params. $this->s3_uploads_endpoint(); } - + if (defined('SMTP_ENABLED') && SMTP_ENABLED) { // If SMTP is enabled, setup PHPMailer if (defined('SMTP_SERVER') && defined('SMTP_PORT')) { @@ -75,7 +75,7 @@ class AppMuPlugin }, 10); } - + private function s3_uploads_endpoint() { // Filter S3 Uploads params. add_filter('s3_uploads_s3_client_params', function ($params) { @@ -88,7 +88,7 @@ class AppMuPlugin private function header_security() { // Add Security headers. - add_filter('wp_headers', + add_filter('wp_headers', function ($headers) { $headers['X-Frame-Options'] = 'SAMEORIGIN'; $headers['X-Content-Type-Options'] = 'nosniff'; @@ -138,7 +138,7 @@ class AppMuPlugin add_action('phpmailer_init', function ($phpmailer) { $phpmailer->Host = SMTP_SERVER; $phpmailer->Port = SMTP_PORT; - + // If SMTP_LOGIN is defined, use it for authentication if (defined('SMTP_LOGIN')) { $phpmailer->SMTPAuth = true; // Enable SMTP authentication @@ -175,6 +175,18 @@ class AppMuPlugin } private function two_factor_default() { + add_filter('two_factor_providers', function ($providers) + { + // Disable FIDO U2F by default + // ISSUE https://wordpress.org/support/topic/i-cant-add-my-yubikey/ + $providers['Two_Factor_FIDO_U2F'] = ''; + // Disable Dummy provider by default + $providers['Two_Factor_Dummy'] = ''; + return $providers; + }); + + // Enable Two Factor Email by default + // force email two factor authentication add_filter('two_factor_enabled_providers_for_user', function ($providers) { if (! in_array('Two_Factor_Email', $providers)) diff --git a/web/robots.txt b/web/robots.txt new file mode 100644 index 0000000..b04ec60 --- /dev/null +++ b/web/robots.txt @@ -0,0 +1,18 @@ +User-agent: Googlebot +Allow: / +User-agent: Bingbot +Allow: / +User-agent: BingPreview +Allow: / +User-agent: Pinterestbot +Allow: / +User-agent: facebookexternalhit +Allow: / +User-agent: Applebot +Allow: / +User-agent: OSZKbot +Allow: / +User-agent: upday +Allow: / +User-agent: Mediapartners-Google +Allow: /