diff --git a/inc/h5bp-.htaccess b/inc/h5bp-.htaccess
new file mode 100644
index 0000000..42c54b8
--- /dev/null
+++ b/inc/h5bp-.htaccess
@@ -0,0 +1,284 @@
+# ----------------------------------------------------------------------
+# Better website experience for IE users
+# ----------------------------------------------------------------------
+
+# Force the latest IE version, in various cases when it may fall back to IE7 mode
+# github.com/rails/rails/commit/123eb25#commitcomment-118920
+# Use ChromeFrame if it's installed for a better experience for the poor IE folk
+
+
+
+ BrowserMatch MSIE ie
+ Header set X-UA-Compatible "IE=Edge,chrome=1" env=ie
+
+
+
+
+# Because X-UA-Compatible isn't sent to non-IE (to save header bytes),
+# We need to inform proxies that content changes based on UA
+ Header append Vary User-Agent
+# Cache control is set only if mod_headers is enabled, so that's unncessary to declare
+
+
+
+# ----------------------------------------------------------------------
+# Cross-domain AJAX requests
+# ----------------------------------------------------------------------
+
+# Serve cross-domain ajax requests, disabled.
+# enable-cors.org
+# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
+
+#
+# Header set Access-Control-Allow-Origin "*"
+#
+
+
+
+# ----------------------------------------------------------------------
+# Webfont access
+# ----------------------------------------------------------------------
+
+# Allow access from all domains for webfonts.
+# Alternatively you could only whitelist your
+# subdomains like "sub.domain.com".
+
+
+
+ Header set Access-Control-Allow-Origin "*"
+
+
+
+
+
+# ----------------------------------------------------------------------
+# Proper MIME type for all files
+# ----------------------------------------------------------------------
+
+# Audio
+AddType audio/ogg oga ogg
+AddType audio/mp4 m4a
+
+# Video
+AddType video/ogg ogv
+AddType video/mp4 mp4 m4v
+AddType video/webm webm
+
+# Proper svg serving. Required for svg webfonts on iPad
+# twitter.com/FontSquirrel/status/14855840545
+AddType image/svg+xml svg svgz
+AddEncoding gzip svgz
+
+# Webfonts
+AddType application/vnd.ms-fontobject eot
+AddType application/x-font-ttf ttf ttc
+AddType font/opentype otf
+AddType application/x-font-woff woff
+
+# Assorted types
+AddType image/x-icon ico
+AddType image/webp webp
+AddType text/cache-manifest appcache manifest
+AddType text/x-component htc
+AddType application/x-chrome-extension crx
+AddType application/x-xpinstall xpi
+AddType application/octet-stream safariextz
+AddType text/x-vcard vcf
+
+
+
+# ----------------------------------------------------------------------
+# Gzip compression
+# ----------------------------------------------------------------------
+
+
+
+# Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
+
+
+ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding
+ RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
+
+
+
+# HTML, TXT, CSS, JavaScript, JSON, XML, HTC:
+
+ FilterDeclare COMPRESS
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/javascript
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/javascript
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-javascript
+ FilterChain COMPRESS
+ FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
+
+
+
+ # Legacy versions of Apache
+ AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
+ AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
+ AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
+
+
+# Webfonts and SVG:
+
+ SetOutputFilter DEFLATE
+
+
+
+
+
+# ----------------------------------------------------------------------
+# Stop screen flicker in IE on CSS rollovers
+# ----------------------------------------------------------------------
+
+# The following directives stop screen flicker in IE on CSS rollovers - in
+# combination with the "ExpiresByType" rules for images (see above). If
+# needed, un-comment the following rules.
+
+# BrowserMatch "MSIE" brokenvary=1
+# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
+# BrowserMatch "Opera" !brokenvary
+# SetEnvIf brokenvary 1 force-no-vary
+
+
+
+# ----------------------------------------------------------------------
+# Cookie setting from iframes
+# ----------------------------------------------------------------------
+
+# Allow cookies to be set from iframes (for IE only)
+# If needed, uncomment and specify a path or regex in the Location directive
+
+#
+#
+# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
+#
+#
+
+
+
+# ----------------------------------------------------------------------
+# Prevent SSL cert warnings
+# ----------------------------------------------------------------------
+
+# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
+# https://www.domain.com when your cert only allows https://secure.domain.com
+# Uncomment the following lines to use this feature.
+
+#
+# RewriteCond %{SERVER_PORT} !^443
+# RewriteRule (.*) https://example-domain-please-change-me.com/$1 [R=301,L]
+#
+
+
+
+# ----------------------------------------------------------------------
+# Prevent 404 errors for non-existing redirected folders
+# ----------------------------------------------------------------------
+
+# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist
+# e.g. /blog/hello : webmasterworld.com/apache/3808792.htm
+
+Options -MultiViews
+
+
+
+# ----------------------------------------------------------------------
+# UTF-8 encoding
+# ----------------------------------------------------------------------
+
+# Use UTF-8 encoding for anything served text/plain or text/html
+AddDefaultCharset utf-8
+
+# Force UTF-8 for a number of file formats
+AddCharset utf-8 .html .css .js .xml .json .rss
+
+
+
+# ----------------------------------------------------------------------
+# A little more security
+# ----------------------------------------------------------------------
+
+
+# Do we want to advertise the exact version number of Apache we're running?
+# Probably not.
+## This can only be enabled if used in httpd.conf - It will not work in .htaccess
+# ServerTokens Prod
+
+
+# "-Indexes" will have Apache block users from browsing folders without a default document
+# Usually you should leave this activated, because you shouldn't allow everybody to surf through
+# every folder on your server (which includes rather private places like CMS system folders).
+Options -Indexes
+
+
+# Block access to "hidden" directories whose names begin with a period. This
+# includes directories used by version control systems such as Subversion or Git.
+
+ RewriteRule "(^|/)\." - [F]
+
+
+
+# If your server is not already configured as such, the following directive
+# should be uncommented in order to set PHP's register_globals option to OFF.
+# This closes a major security hole that is abused by most XSS (cross-site
+# scripting) attacks. For more information: http://php.net/register_globals
+#
+# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :
+#
+# Your server does not allow PHP directives to be set via .htaccess. In that
+# case you must make this change in your php.ini file instead. If you are
+# using a commercial web host, contact the administrators for assistance in
+# doing this. Not all servers allow local php.ini files, and they should
+# include all PHP configurations (not just this one), or you will effectively
+# reset everything to PHP defaults. Consult www.php.net for more detailed
+# information about setting PHP directives.
+
+# php_flag register_globals Off
+
+# Rename session cookie to something else, than PHPSESSID
+# php_value session.name sid
+
+# Do not show you are using php
+# php_flag expose_php Off
+
+# Level of log detail - log all errors
+# php_value error_reporting -1
+
+# Write errors to log file
+# php_flag log_errors On
+
+# Do not display errors in browser (production - Off, development - On)
+# php_flag display_errors Off
+
+# Do not display startup errors (production - Off, development - On)
+# php_flag display_startup_errors Off
+
+# Format errors in plain text
+# php_flag html_errors Off
+
+# Show multiple occurrence of error
+# php_flag ignore_repeated_errors Off
+
+# Show same errors from different sources
+# php_flag ignore_repeated_source Off
+
+# Size limit for error messages
+# php_value log_errors_max_len 1024
+
+# Don't precede error with string (doesn't accept empty string, use whitespace if you need)
+# php_value error_prepend_string " "
+
+# Don't prepend to error (doesn't accept empty string, use whitespace if you need)
+# php_value error_append_string " "
+
+# Increase cookie security
+
+ php_value session.cookie_httponly true
+
\ No newline at end of file
diff --git a/inc/roots-htaccess.php b/inc/roots-htaccess.php
index 0dd8f9f..45fc70e 100644
--- a/inc/roots-htaccess.php
+++ b/inc/roots-htaccess.php
@@ -8,273 +8,23 @@ function roots_htaccess_writable() {
add_action('admin_init', 'roots_htaccess_writable');
-// thanks to Scott Walkinshaw (scottwalkinshaw.com)
+function roots_add_h5bp_htaccess($rules) {
+ global $wp_filesystem;
-function roots_add_htaccess($rules) {
+ if (!defined('FS_METHOD')) define('FS_METHOD', 'direct');
+ if (is_null($wp_filesystem)) WP_Filesystem(array(), ABSPATH);
+
+ if (!defined('WP_CONTENT_DIR'))
+ define('WP_CONTENT_DIR', ABSPATH . 'wp-content');
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Better website experience for IE users";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# Force the latest IE version, in various cases when it may fall back to IE7 mode";
- $rules .= "\n# github.com/rails/rails/commit/123eb25#commitcomment-118920";
- $rules .= "\n# Use ChromeFrame if it's installed for a better experience for the poor IE folk";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n ";
- $rules .= "\n BrowserMatch MSIE ie";
- $rules .= "\n Header set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie";
- $rules .= "\n ";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# Because X-UA-Compatible isn't sent to non-IE (to save header bytes),";
- $rules .= "\n# We need to inform proxies that content changes based on UA";
- $rules .= "\n Header append Vary User-Agent";
- $rules .= "\n# Cache control is set only if mod_headers is enabled, so that's unncessary to declare";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Cross-domain AJAX requests";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# Serve cross-domain ajax requests, disabled. ";
- $rules .= "\n# enable-cors.org";
- $rules .= "\n# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity";
- $rules .= "\n";
- $rules .= "\n# ";
- $rules .= "\n# Header set Access-Control-Allow-Origin "*"";
- $rules .= "\n# ";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Webfont access";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# allow access from all domains for webfonts";
- $rules .= "\n# alternatively you could only whitelist";
- $rules .= "\n# your subdomains like \"sub.domain.com\"";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n ";
- $rules .= "\n Header set Access-Control-Allow-Origin "*"";
- $rules .= "\n ";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Proper MIME type for all files";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# audio";
- $rules .= "\nAddType audio/ogg oga ogg";
- $rules .= "\n";
- $rules .= "\n# video";
- $rules .= "\nAddType video/ogg ogv";
- $rules .= "\nAddType video/mp4 mp4";
- $rules .= "\nAddType video/webm webm";
- $rules .= "\n";
- $rules .= "\n# Proper svg serving. Required for svg webfonts on iPad";
- $rules .= "\n# twitter.com/FontSquirrel/status/14855840545";
- $rules .= "\nAddType image/svg+xml svg svgz ";
- $rules .= "\nAddEncoding gzip svgz";
- $rules .= "\n ";
- $rules .= "\n# webfonts ";
- $rules .= "\nAddType application/vnd.ms-fontobject eot";
- $rules .= "\nAddType font/truetype ttf";
- $rules .= "\nAddType font/opentype otf";
- $rules .= "\nAddType application/x-font-woff woff";
- $rules .= "\n";
- $rules .= "\n# assorted types ";
- $rules .= "\nAddType image/x-icon ico";
- $rules .= "\nAddType image/webp webp";
- $rules .= "\nAddType text/cache-manifest appcache manifest";
- $rules .= "\nAddType text/x-component htc";
- $rules .= "\nAddType application/x-chrome-extension crx";
- $rules .= "\nAddType application/x-xpinstall xpi";
- $rules .= "\nAddType application/octet-stream safariextz";
- $rules .= "\nAddType text/x-vcard vcf";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# gzip compression";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/";
- $rules .= "\n";
- $rules .= "\n ";
- $rules .= "\n SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding";
- $rules .= "\n RequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding";
- $rules .= "\n ";
- $rules .= "\n";
- $rules .= "\n# html, txt, css, js, json, xml, htc:";
- $rules .= "\n";
- $rules .= "\n FilterDeclare COMPRESS";
- $rules .= "\n FilterProvider COMPRESS DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/";
- $rules .= "\n FilterProvider COMPRESS DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/";
- $rules .= "\n FilterChain COMPRESS";
- $rules .= "\n FilterProtocol COMPRESS change=yes;byteranges=no";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n # Legacy versions of Apache";
- $rules .= "\n AddOutputFilterByType DEFLATE text/html text/plain text/css application/json";
- $rules .= "\n AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript ";
- $rules .= "\n AddOutputFilterByType DEFLATE text/xml application/xml text/x-component";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# webfonts and svg:";
- $rules .= "\n ";
- $rules .= "\n SetOutputFilter DEFLATE";
- $rules .= "\n ";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Stop screen flicker in IE on CSS rollovers";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# The following directives stop screen flicker in IE on CSS rollovers - in";
- $rules .= "\n# combination with the \"ExpiresByType\" rules for images (see above). If";
- $rules .= "\n# needed, un-comment the following rules.";
- $rules .= "\n";
- $rules .= "\n# BrowserMatch \"MSIE\" brokenvary=1";
- $rules .= "\n# BrowserMatch \"Mozilla/4.[0-9]{2}\" brokenvary=1";
- $rules .= "\n# BrowserMatch \"Opera\" !brokenvary";
- $rules .= "\n# SetEnvIf brokenvary 1 force-no-vary";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Prevent SSL cert warnings";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent ";
- $rules .= "\n# https://www.domain.com when your cert only allows https://secure.domain.com";
- $rules .= "\n# Uncomment the following lines to use this feature.";
- $rules .= "\n";
- $rules .= "\n# ";
- $rules .= "\n# RewriteCond %{SERVER_PORT} !^443";
- $rules .= "\n# RewriteRule (.*) https://example-domain-please-change-me.com/$1 [R=301,L]";
- $rules .= "\n# ";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# Prevent 404 errors for non-existing redirected folders";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist ";
- $rules .= "\n# e.g. /blog/hello : webmasterworld.com/apache/3808792.htm";
- $rules .= "\n";
- $rules .= "\nOptions -MultiViews ";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# UTF-8 encoding";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n# use utf-8 encoding for anything served text/plain or text/html";
- $rules .= "\nAddDefaultCharset utf-8";
- $rules .= "\n";
- $rules .= "\n# force utf-8 for a number of file formats";
- $rules .= "\nAddCharset utf-8 .html .css .js .xml .json .rss";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n# A little more security";
- $rules .= "\n# ----------------------------------------------------------------------";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# Do we want to advertise the exact version number of Apache we're running?";
- $rules .= "\n# Probably not.";
- $rules .= "\n## This can only be enabled if used in httpd.conf - It will not work in .htaccess";
- $rules .= "\n# ServerTokens Prod";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# \"-Indexes\" will have Apache block users from browsing folders without a default document";
- $rules .= "\n# Usually you should leave this activated, because you shouldn't allow everybody to surf through";
- $rules .= "\n# every folder on your server (which includes rather private places like CMS system folders).";
- $rules .= "\nOptions -Indexes";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# Block access to \"hidden\" directories whose names begin with a period. This";
- $rules .= "\n# includes directories used by version control systems such as Subversion or Git.";
- $rules .= "\n";
- $rules .= "\n RewriteRule \"(^|/)\.\" - [F]";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n";
- $rules .= "\n# If your server is not already configured as such, the following directive";
- $rules .= "\n# should be uncommented in order to set PHP's register_globals option to OFF.";
- $rules .= "\n# This closes a major security hole that is abused by most XSS (cross-site";
- $rules .= "\n# scripting) attacks. For more information: http://php.net/register_globals";
- $rules .= "\n#";
- $rules .= "\n# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :";
- $rules .= "\n#";
- $rules .= "\n# Your server does not allow PHP directives to be set via .htaccess. In that";
- $rules .= "\n# case you must make this change in your php.ini file instead. If you are";
- $rules .= "\n# using a commercial web host, contact the administrators for assistance in";
- $rules .= "\n# doing this. Not all servers allow local php.ini files, and they should";
- $rules .= "\n# include all PHP configurations (not just this one), or you will effectively";
- $rules .= "\n# reset everything to PHP defaults. Consult www.php.net for more detailed";
- $rules .= "\n# information about setting PHP directives.";
- $rules .= "\n";
- $rules .= "\n# php_flag register_globals Off";
- $rules .= "\n";
- $rules .= "\n# rename session cookie to something else, than PHPSESSID";
- $rules .= "\n# php_value session.name sid";
- $rules .= "\n";
- $rules .= "\n# do not show you are using php";
- $rules .= "\n# php_flag expose_php Off";
- $rules .= "\n";
- $rules .= "\n# level of log detail - log all errors";
- $rules .= "\n# php_value error_reporting -1";
- $rules .= "\n";
- $rules .= "\n# write errors to log file";
- $rules .= "\n# php_flag log_errors On";
- $rules .= "\n";
- $rules .= "\n# do not display errors in browser (production - Off, development - On)";
- $rules .= "\n# php_flag display_errors Off";
- $rules .= "\n";
- $rules .= "\n# do not display startup errors (production - Off, development - On)";
- $rules .= "\n# php_flag display_startup_errors Off";
- $rules .= "\n";
- $rules .= "\n# format errors in plain text";
- $rules .= "\n# php_flag html_errors Off";
- $rules .= "\n";
- $rules .= "\n# show multiple occurrence of error";
- $rules .= "\n# php_flag ignore_repeated_errors Off";
- $rules .= "\n";
- $rules .= "\n# show same errors from different sources";
- $rules .= "\n# php_flag ignore_repeated_source Off";
- $rules .= "\n";
- $rules .= "\n# size limit for error messages";
- $rules .= "\n# php_value log_errors_max_len 1024";
- $rules .= "\n";
- $rules .= "\n# don't precede error with string (doesn't accept empty string, use whitespace if you need)";
- $rules .= "\n# php_value error_prepend_string \" \"";
- $rules .= "\n";
- $rules .= "\n# don't prepend to error (doesn't accept empty string, use whitespace if you need)";
- $rules .= "\n# php_value error_append_string \" \"";
- $rules .= "\n";
- $rules .= "\n# Increase cookie security";
- $rules .= "\n";
- $rules .= "\n php_value session.cookie_httponly true";
- $rules .= "\n";
+ $theme_name = next(explode('/themes/', get_template_directory()));
+ $filename = WP_CONTENT_DIR . '/themes/' . $theme_name . '/inc/h5bp-.htaccess';
+
+ $rules .= $wp_filesystem->get_contents($filename);
return $rules;
}
-add_action('mod_rewrite_rules', 'roots_add_htaccess');
-?>
+add_action('mod_rewrite_rules', 'roots_add_h5bp_htaccess');
+
+?>
\ No newline at end of file