roots / wp-h5bp-htaccess Goto Github PK

View Code? Open in Web Editor NEW

153.0 27.0 37.0 51 KB

WordPress plugin that adds HTML5 Boilerplate's .htaccess

Home Page: https://roots.io/plugins/html5-boilerplate-htaccess/

License: MIT License

PHP 100.00%

wp-h5bp-htaccess's Introduction

HTML5 Boilerplate's `.htaccess` for WordPress

Add HTML5 Boilerplate's .htaccess to your WordPress installation.

Installation

You can install this plugin via the command-line or the WordPress admin panel.

via Command-line

If you're using Composer to manage WordPress, add wp-h5bp-htaccess to your project's dependencies.

composer require roots/wp-h5bp-htaccess 2.0.1

Then activate the plugin via wp-cli.

wp plugin activate wp-h5bp-htaccess

via WordPress Admin Panel

Download the latest zip of this repo.
In your WordPress admin panel, navigate to Plugins->Add New
Click Upload Plugin
Upload the zip file that you downloaded.

Configuration

The plugin will work right out of the box, but we have made some options available to developers who wish to fine-tune the resulting .htaccess file.

!!! WARNING !!!

Using these configuration options can result in unexpected, undesired, and even damaging behaviors. You must understand that changing the output of this plugin will change what WordPress puts into your .htaccess file. Misconfigured .htaccess files will likely result server errors. Be sure that you have a way of removing the .htaccess file if necessary.

Use a custom server config (`server_configs.conf`)

You can use your own server config instead of the included Apache Server Config by H5BP. Do this by placing a file named server_configs.conf in the root of your theme directory.

/
├── wp-admin/
├── wp-content/
│   └── themes/
│       └── your-theme-here/
│           └── server_configs.conf
└── wp-includes/

Hooks

There are a few WordPress filters into which a developer can hook to modify the resulting .htaccess file. The rules below are listed in the order in which they are applied in the code.

`roots/h5bp-htaccess-filters`

This hook passes an associative array of modification filters to be applied to the rules where the keys of the array represent a string that is to be searched and the values of the array represent a replacement.

Use this for simple string replacements, such as commenting out lines.

add_filter('roots/h5bp-htaccess-filters', function($rules_filters) {
  // comments out all `RewriteRule`s
  $rules_filters['RewriteRule'] = '# RewriteRule';
  return $rules_filters;
});

`roots/h5bp-htaccess-rules`

This hook passes a string containing all of the rules that are going to be added to your .htaccess file by this plugin.

add_filter('roots/h5bp-htaccess-rules', function($server_config_rules) {
  // Removes all comments and whitespace
  return preg_replace(['/#.*/', '/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/'], ['',PHP_EOL], $server_config_rules);
});

Changelog

2.0.1: April 29th, 2015

Fix reference error (#12)
Update link to h5bp server config repo (#13)

2.0.0: April 11th, 2015

Update to Apache Server Configs v2.14.0
Rewrote plugin as a class
Rewrote logic so that server and WordPress configurations are only checked when plugin is actively in use
Added filters to provide users with more control over the rules that are being applied
Added a dedicated WordPress section to the bottom of h5bp-htaccess

1.1.0: June 7th, 2014

Update to Apache Server Configs v2.4.1

1.0.0: April 30th, 2013

Removed from Roots Theme, moved to plugin

License

Apache Server Configs: MIT License
Everything else: MIT License

wp-h5bp-htaccess's People

Contributors

Stargazers

Watchers

wp-h5bp-htaccess's Issues

Conflict Plugin Name with other WP H5BP .htaccess Plugins

The plugin had a same name with other HTML5 Boilerplate .htaccess Wordpress Plugin

The issue is on the plugin list page. Wordpress notifiy to update the plugin when those plugins is updated.

Thanks

.htaccess file is corrupted after WordPress update

Haven't had a chance to dive into this yet, but I'm going to guess that the event that triggers writing new .htaccess file is being fired more than once.

I'll play around with it this weekend.

Placement of Directives

Shouldn't the boilerplate .htaccess directives go before the WordPress ones?

.htaccess being processed top-to-bottom, when the WordPress directives are placed earlier than the H5BP directives it means the H5BP directives are processed too late i.e. after WordPress has already processed requests.

htaccess in subfolders being blocked

Hi,

I have a wordpress blog located in a subfolder of my site (mysite.com/blog) that doesn't work because the wordpress htaccess file can't be changed from:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

to this

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>

# END WordPress

Every time I change the permissions of the htaccess file in the blog subfolder from 444 to 604, it immediately gets changed back again. Sometimes it stays at 604 long enough for me to make the changes through Wordpress, however as soon as the permission reverts back to 444 the original htaccess file is put back in it's place!

It's driving me mad!

Can anyone help?

Cheers, Paul.

Is this working?

I seem to be having a few problems with this.

Upon initial install of WordPress, and my theme, it does in fact create the .htaccess with the content from the h5bp-htaccess file as expected. The issue comes when editing that file and reuploading it.

I am expecting the .htaccess file in the root directory to update with the edited content, but it doesn't. I have tried flushing permalinks and this also has no affect.

The only way I am able to get it to update is to completely remove the .htaccess file from the server, then flush the permalinks.

Am I missing something here?

Release New Version with Bugfixes

After installing v2.0.0, as recommended by the readme, I came across the reference error, which was fixed in 82873f5.

Are there any plans to release a minor point update or will I have to run off of dev-master in my composer.json file?

License.txt?

I don't mean to be obnoxious or anything. I acknowledge that you release your work out of the kindness of your heart and all that jazz, so please don't take this the wrong way.

For the sake of legal clarification, I think you should include a license.txt or license.md file. I know your current PHP file says that it's "MIT" licensed and has a URI to the license terms, but that can be misinterpreted to mean that only the PHP file is licensed. A license.txt file seems like it would be more concrete.

By plugin do you mean edit functions.php and include the file?

By plugin do you mean edit custom.php or functions.php and include the PHP file? Or is there some kind of API hook I should be using?

Thanks for the great work, btw. This is my default WP boilerplate that I add my own assets and includes to.

Vary Accept Encoding

I read that Vary Accept encoding was a good idea for performance and browser compatibility, I've added this to the h5bp-htaccess file

Fix for older browsers that don't support Compression

Suggested here - http://blog.maxcdn.com/accept-encoding-its-vary-important/

Header append Vary: Accept-Encoding Probably should do this as a pull request let me know if it's an issue. Thanks Dave

Add rules to secure wp-includes?

It could be done with the RewriteEngine as in the example below, or it could be done with FilesMatch.

But we would have to take into account that users don't always install WordPress into their root directory, which complicates things. We could also use the typical {{double-brackets}} syntax to indicate a dynamic value, and then use PHP to determine it and change the value before adding to .htaccess file.

Securing wp-includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Note that this won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

http://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes