After installing v2.0.0, as recommended by the readme, I came across the reference error, which was fixed in 82873f5.

Are there any plans to release a minor point update or will I have to run off of dev-master in my composer.json file?

Hi,

I have a wordpress blog located in a subfolder of my site (mysite.com/blog) that doesn't work because the wordpress htaccess file can't be changed from:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

to this

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>

# END WordPress

Every time I change the permissions of the htaccess file in the blog subfolder from 444 to 604, it immediately gets changed back again. Sometimes it stays at 604 long enough for me to make the changes through Wordpress, however as soon as the permission reverts back to 444 the original htaccess file is put back in it's place!

It's driving me mad!

Can anyone help?

Cheers, Paul.

It could be done with the RewriteEngine as in the example below, or it could be done with FilesMatch.

But we would have to take into account that users don't always install WordPress into their root directory, which complicates things. We could also use the typical {{double-brackets}} syntax to indicate a dynamic value, and then use PHP to determine it and change the value before adding to .htaccess file.

Securing wp-includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Note that this won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

http://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes

Haven't had a chance to dive into this yet, but I'm going to guess that the event that triggers writing new .htaccess file is being fired more than once.

I'll play around with it this weekend.

Shouldn't the boilerplate .htaccess directives go before the WordPress ones?

.htaccess being processed top-to-bottom, when the WordPress directives are placed earlier than the H5BP directives it means the H5BP directives are processed too late i.e. after WordPress has already processed requests.

I seem to be having a few problems with this.

Upon initial install of WordPress, and my theme, it does in fact create the .htaccess with the content from the h5bp-htaccess file as expected. The issue comes when editing that file and reuploading it.

I am expecting the .htaccess file in the root directory to update with the edited content, but it doesn't. I have tried flushing permalinks and this also has no affect.

The only way I am able to get it to update is to completely remove the .htaccess file from the server, then flush the permalinks.

Am I missing something here?

I don't mean to be obnoxious or anything. I acknowledge that you release your work out of the kindness of your heart and all that jazz, so please don't take this the wrong way.

For the sake of legal clarification, I think you should include a license.txt or license.md file. I know your current PHP file says that it's "MIT" licensed and has a URI to the license terms, but that can be misinterpreted to mean that only the PHP file is licensed. A license.txt file seems like it would be more concrete.

The plugin had a same name with other HTML5 Boilerplate .htaccess Wordpress Plugin

The issue is on the plugin list page. Wordpress notifiy to update the plugin when those plugins is updated.

Thanks

By plugin do you mean edit custom.php or functions.php and include the PHP file? Or is there some kind of API hook I should be using?

Thanks for the great work, btw. This is my default WP boilerplate that I add my own assets and includes to.

I read that Vary Accept encoding was a good idea for performance and browser compatibility, I've added this to the h5bp-htaccess file

Fix for older browsers that don't support Compression

Suggested here - http://blog.maxcdn.com/accept-encoding-its-vary-important/