diff --git a/CHANGELOG.md b/CHANGELOG.md index 622879b..f82a5f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Move HTML5 Boilerplate's .htaccess to a [plugin](https://github.com/retlehs/wp-h5bp-htaccess) * Rename page-custom.php to template-custom.php * Don't warn about unwritable htaccess if that option is disabled * Add missing collapse class for top navbar diff --git a/README.md b/README.md index ae68a5d..251ab02 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ Take a look at the [documentation table of contents](doc/TOC.md). ## Features -* HTML5 Boilerplate’s markup and `.htaccess` +* HTML5 Boilerplate’s markup * Bootstrap from Twitter * [Theme wrapper](doc/wrapper.md) * Root relative URLs diff --git a/doc/lib.md b/doc/lib.md index 4a50400..f0ba1d4 100644 --- a/doc/lib.md +++ b/doc/lib.md @@ -31,22 +31,6 @@ If you don't want to use one of the features, either comment out the line or rem `roots_display_sidebar()` is used to define which pages shouldn't get the sidebar. By default, the 404, front `front-page.php` and `template-custom.php` templates are full width. If you would like to remove the sidebar from additional pages, add in the appropriate conditional or page template name. -### h5bp-htaccess - -This file contains HTML5 Boilerplate's `.htaccess` which is automatically added by `htaccess.php` if enabled in `config.php`. There are a few changes to the H5BP version: - -* Added block to access WordPress files that reveal version information (`wp-config.php`, `readme.html`, `license.txt`) -* Commented out expires headers (we recommend the use of [W3 Total Cache](http://wordpress.org/extend/plugins/w3-total-cache/)) -* Commented out ETag removal (we recommend the use of [W3 Total Cache](http://wordpress.org/extend/plugins/w3-total-cache/)) -* Commented out start rewrite engine (handled by WordPress) -* Commented out suppress/force www (handled by WordPress) -* Commented out `Options -MultiViews` (causes a server 500 error on most shared hosts) -* Commented out custom 404 page (handled by WordPress) - -### htaccess.php - -This file handles the HTML5 Boilerplate `.htaccess`. - ### init.php This file runs the initial theme setup and defines helper constants for later use diff --git a/doc/rewrites.md b/doc/rewrites.md index dec00b7..2728b03 100644 --- a/doc/rewrites.md +++ b/doc/rewrites.md @@ -12,8 +12,6 @@ Rewrite: 3. `/wp-content/themes/themename/assets/img/` to `/assets/img/` 4. `/wp-content/plugins/` -> `/plugins/` -If HTML5 Boilerplate's `.htaccess` support is enabled in `lib/config.php`, then the `generate_rewrite_rules()` filter is used to automatically add the contents of `lib/h5bp-htaccess` to your `.htaccess` file. - ## Alternative server configurations ### Nginx diff --git a/doc/usage.md b/doc/usage.md index 84ad848..12ba501 100755 --- a/doc/usage.md +++ b/doc/usage.md @@ -38,8 +38,6 @@ A basic Roots theme initially looks like this: │ ├── cleanup.php │ ├── config.php │ ├── custom.php -│ ├── h5bp-htaccess -│ ├── htaccess.php │ ├── init.php │ ├── nav.php │ ├── rewrites.php diff --git a/functions.php b/functions.php index fef4745..8a6ff6a 100644 --- a/functions.php +++ b/functions.php @@ -11,7 +11,6 @@ require_once locate_template('/lib/cleanup.php'); // Cleanup require_once locate_template('/lib/nav.php'); // Custom nav modifications require_once locate_template('/lib/comments.php'); // Custom comments modifications require_once locate_template('/lib/rewrites.php'); // URL rewriting for assets -require_once locate_template('/lib/htaccess.php'); // HTML5 Boilerplate .htaccess require_once locate_template('/lib/widgets.php'); // Sidebars and widgets require_once locate_template('/lib/scripts.php'); // Scripts and stylesheets require_once locate_template('/lib/custom.php'); // Custom functions diff --git a/lib/config.php b/lib/config.php index 9999198..a2c3caa 100644 --- a/lib/config.php +++ b/lib/config.php @@ -4,7 +4,6 @@ */ add_theme_support('root-relative-urls'); // Enable relative URLs add_theme_support('rewrites'); // Enable URL rewrites -add_theme_support('h5bp-htaccess'); // Enable HTML5 Boilerplate's .htaccess add_theme_support('bootstrap-top-navbar'); // Enable Bootstrap's top navbar add_theme_support('bootstrap-gallery'); // Enable Bootstrap's thumbnails component on [gallery] add_theme_support('nice-search'); // Enable /?s= to /search/ redirect diff --git a/lib/h5bp-htaccess b/lib/h5bp-htaccess deleted file mode 100644 index 8c9e6a9..0000000 --- a/lib/h5bp-htaccess +++ /dev/null @@ -1,421 +0,0 @@ -# BEGIN HTML5 Boilerplate - -### -### This contains the HTML5 Boilerplate .htaccess that can be found at: -### https://github.com/h5bp/server-configs/blob/master/apache/.htaccess -### -### Added: -### Block access to WordPress files that reveal version information. -### -### Removed: -### Expires headers: Use W3 Total Cache -### ETag removal: Use W3 Total Cache -### Start rewrite engine: Handled by WordPress -### Suppress/force www: Handled by WordPress -### Custom 404 page: Handled by WordPress -### -### Commmented out by default: -### Options -MultiViews: Causes a server 500 error on most shared hosts -### -### Anytime you update this file the .htaccess file in the root of your -### WordPress install is automatically updated with the changes whenever -### the permalinks are flushed or set (see lib/htaccess.php) -### - -# ############################################################################## -# # CROSS-ORIGIN RESOURCE SHARING (CORS) # -# ############################################################################## - -# ------------------------------------------------------------------------------ -# | Cross-domain AJAX requests | -# ------------------------------------------------------------------------------ - -# Enable cross-origin AJAX requests. -# http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity -# http://enable-cors.org/ - -# -# Header set Access-Control-Allow-Origin "*" -# - -# ------------------------------------------------------------------------------ -# | CORS-enabled images | -# ------------------------------------------------------------------------------ - -# Send the CORS header for images when browsers request it. -# https://developer.mozilla.org/en/CORS_Enabled_Image -# http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html -# http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ - - - - - SetEnvIf Origin ":" IS_CORS - Header set Access-Control-Allow-Origin "*" env=IS_CORS - - - - -# ------------------------------------------------------------------------------ -# | Web fonts access | -# ------------------------------------------------------------------------------ - -# Allow access from all domains for web fonts - - - - Header set Access-Control-Allow-Origin "*" - - - - -# ############################################################################## -# # ERRORS # -# ############################################################################## - -# ------------------------------------------------------------------------------ -# | 404 error prevention for non-existing redirected folders | -# ------------------------------------------------------------------------------ - -# Prevent Apache from returning a 404 error for a rewrite if a directory -# with the same name does not exist. -# http://httpd.apache.org/docs/current/content-negotiation.html#multiviews -# http://www.webmasterworld.com/apache/3808792.htm - -# Options -MultiViews - - -# ############################################################################## -# # INTERNET EXPLORER # -# ############################################################################## - -# ------------------------------------------------------------------------------ -# | Better website experience | -# ------------------------------------------------------------------------------ - -# Force IE to render pages in the highest available mode in the various -# cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf. -# Use, if installed, Google Chrome Frame. - - - Header set X-UA-Compatible "IE=edge,chrome=1" - # `mod_headers` can't match based on the content-type, however, we only - # want to send this header for HTML pages and not for the other resources - - Header unset X-UA-Compatible - - - -# ------------------------------------------------------------------------------ -# | Cookie setting from iframes | -# ------------------------------------------------------------------------------ - -# Allow cookies to be set from iframes in IE. - -# -# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"" -# - -# ------------------------------------------------------------------------------ -# | Screen flicker | -# ------------------------------------------------------------------------------ - -# Stop screen flicker in IE on CSS rollovers (this only works in -# combination with the `ExpiresByType` directives for images from below). - -# BrowserMatch "MSIE" brokenvary=1 -# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1 -# BrowserMatch "Opera" !brokenvary -# SetEnvIf brokenvary 1 force-no-vary - - -# ############################################################################## -# # MIME TYPES AND ENCODING # -# ############################################################################## - -# ------------------------------------------------------------------------------ -# | Proper MIME types for all files | -# ------------------------------------------------------------------------------ - - - - # Audio - AddType audio/mp4 m4a f4a f4b - AddType audio/ogg oga ogg - - # JavaScript - # Normalize to standard type (it's sniffed in IE anyways): - # http://tools.ietf.org/html/rfc4329#section-7.2 - AddType application/javascript js jsonp - AddType application/json json - - # Video - AddType video/mp4 mp4 m4v f4v f4p - AddType video/ogg ogv - AddType video/webm webm - AddType video/x-flv flv - - # Web fonts - AddType application/font-woff woff - AddType application/vnd.ms-fontobject eot - - # Browsers usually ignore the font MIME types and sniff the content, - # however, Chrome shows a warning if other MIME types are used for the - # following fonts. - AddType application/x-font-ttf ttc ttf - AddType font/opentype otf - - # Make SVGZ fonts work on iPad: - # https://twitter.com/FontSquirrel/status/14855840545 - AddType image/svg+xml svg svgz - AddEncoding gzip svgz - - # Other - AddType application/octet-stream safariextz - AddType application/x-chrome-extension crx - AddType application/x-opera-extension oex - AddType application/x-shockwave-flash swf - AddType application/x-web-app-manifest+json webapp - AddType application/x-xpinstall xpi - AddType application/xml atom rdf rss xml - AddType image/webp webp - AddType image/x-icon ico - AddType text/cache-manifest appcache manifest - AddType text/vtt vtt - AddType text/x-component htc - AddType text/x-vcard vcf - - - -# ------------------------------------------------------------------------------ -# | UTF-8 encoding | -# ------------------------------------------------------------------------------ - -# Use UTF-8 encoding for anything served as `text/html` or `text/plain`. -AddDefaultCharset utf-8 - -# Force UTF-8 for certain file formats. - - AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml - - - -# ############################################################################## -# # SECURITY # -# ############################################################################## - -# ------------------------------------------------------------------------------ -# | Content Security Policy (CSP) | -# ------------------------------------------------------------------------------ - -# You can mitigate the risk of cross-site scripting and other content-injection -# attacks by setting a Content Security Policy which whitelists trusted sources -# of content for your site. - -# The example header below allows ONLY scripts that are loaded from the current -# site's origin (no inline scripts, no CDN, etc). This almost certainly won't -# work as-is for your site! - -# To get all the details you'll need to craft a reasonable policy for your site, -# read: http://html5rocks.com/en/tutorials/security/content-security-policy (or -# see the specification: http://w3.org/TR/CSP). - -# -# Header set Content-Security-Policy "script-src 'self'; object-src 'self'" -# -# Header unset Content-Security-Policy -# -# - -# ------------------------------------------------------------------------------ -# | File access | -# ------------------------------------------------------------------------------ - -# Block access to directories without a default document. -# Usually you should leave this uncommented because you shouldn't allow anyone -# to surf through every directory on your server (which may includes rather -# private places like the CMS's directories). - - - Options -Indexes - - -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Block access to hidden files and directories. -# This includes directories used by version control systems such as Git and SVN. - - - RewriteCond %{SCRIPT_FILENAME} -d [OR] - RewriteCond %{SCRIPT_FILENAME} -f - RewriteRule "(^|/)\." - [F] - - -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Block access to backup and source files. -# These files may be left by some text editors and can pose a great security -# danger when anyone has access to them. - - - Order allow,deny - Deny from all - Satisfy All - - -# Block access to WordPress files that reveal version information. - - Order allow,deny - Deny from all - Satisfy All - - -# ------------------------------------------------------------------------------ -# | Secure Sockets Layer (SSL) | -# ------------------------------------------------------------------------------ - -# Rewrite secure requests properly to prevent SSL certificate warnings, e.g.: -# prevent `https://www.example.com` when your certificate only allows -# `https://secure.example.com`. - -# -# RewriteCond %{SERVER_PORT} !^443 -# RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L] -# - -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Force client-side SSL redirection. - -# If a user types "example.com" in his browser, the above rule will redirect him -# to the secure version of the site. That still leaves a window of opportunity -# (the initial HTTP connection) for an attacker to downgrade or redirect the -# request. The following header ensures that browser will ONLY connect to your -# server via HTTPS, regardless of what the users type in the address bar. -# http://www.html5rocks.com/en/tutorials/security/transport-layer-security/ - -# -# Header set Strict-Transport-Security max-age=16070400; -# - -# ------------------------------------------------------------------------------ -# | Server software information | -# ------------------------------------------------------------------------------ - -# Avoid displaying the exact Apache version number, the description of the -# generic OS-type and the information about Apache's compiled-in modules. - -# ADD THIS DIRECTIVE IN THE `httpd.conf` AS IT WILL NOT WORK IN THE `.htaccess`! - -# ServerTokens Prod - - -# ############################################################################## -# # WEB PERFORMANCE # -# ############################################################################## - -# ------------------------------------------------------------------------------ -# | Compression | -# ------------------------------------------------------------------------------ - - - - # Force compression for mangled headers. - # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping - - - SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding - RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding - - - - # Compress all output labeled with one of the following MIME-types - # (for Apache versions below 2.3.7, you don't need to enable `mod_filter` - # and can remove the `` and `` lines - # as `AddOutputFilterByType` is still in the core directives). - - AddOutputFilterByType DEFLATE application/atom+xml \ - application/javascript \ - application/json \ - application/rss+xml \ - application/vnd.ms-fontobject \ - application/x-font-ttf \ - application/x-web-app-manifest+json \ - application/xhtml+xml \ - application/xml \ - font/opentype \ - image/svg+xml \ - image/x-icon \ - text/css \ - text/html \ - text/plain \ - text/x-component \ - text/xml - - - - -# ------------------------------------------------------------------------------ -# | Content transformations | -# ------------------------------------------------------------------------------ - -# Prevent some of the mobile network providers from modifying the content of -# your site: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5. - -# -# Header set Cache-Control "no-transform" -# - -# ------------------------------------------------------------------------------ -# | Filename-based cache busting | -# ------------------------------------------------------------------------------ - -# If you're not using a build process to manage your filename version revving, -# you might want to consider enabling the following directives to route all -# requests such as `/css/style.12345.css` to `/css/style.css`. - -# To understand why this is important and a better idea than `*.css?v231`, read: -# http://stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring - -# -# RewriteCond %{REQUEST_FILENAME} !-f -# RewriteCond %{REQUEST_FILENAME} !-d -# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L] -# - -# ------------------------------------------------------------------------------ -# | File concatenation | -# ------------------------------------------------------------------------------ - -# Allow concatenation from within specific CSS and JS files, e.g.: -# Inside of `script.combined.js` you could have -# -# -# and they would be included into this single file. - -# -# -# Options +Includes -# AddOutputFilterByType INCLUDES application/javascript application/json -# SetOutputFilter INCLUDES -# -# -# Options +Includes -# AddOutputFilterByType INCLUDES text/css -# SetOutputFilter INCLUDES -# -# - -# ------------------------------------------------------------------------------ -# | Persistent connections | -# ------------------------------------------------------------------------------ - -# Allow multiple requests to be sent over the same TCP connection: -# http://httpd.apache.org/docs/current/en/mod/core.html#keepalive. - -# Enable if you serve a lot of static content but, be aware of the -# possible disadvantages! - -# -# Header set Connection Keep-Alive -# diff --git a/lib/htaccess.php b/lib/htaccess.php deleted file mode 100644 index 57923a8..0000000 --- a/lib/htaccess.php +++ /dev/null @@ -1,26 +0,0 @@ -using_mod_rewrite_permalinks()) || is_writable($htaccess_file)) { - if ($mod_rewrite_enabled) { - $h5bp_rules = extract_from_markers($htaccess_file, 'HTML5 Boilerplate'); - if ($h5bp_rules === array()) { - $filename = dirname(__FILE__) . '/h5bp-htaccess'; - return insert_with_markers($htaccess_file, 'HTML5 Boilerplate', extract_from_markers($filename, 'HTML5 Boilerplate')); - } - } - } - - return $content; -} - -if (current_theme_supports('h5bp-htaccess')) { - add_action('generate_rewrite_rules', 'roots_add_h5bp_htaccess'); -} diff --git a/lib/utils.php b/lib/utils.php index d2c7030..395c93c 100644 --- a/lib/utils.php +++ b/lib/utils.php @@ -85,20 +85,6 @@ function roots_title() { } } -/** - * Show an admin notice if .htaccess isn't writable - */ -function roots_htaccess_writable() { - if (!is_writable(get_home_path() . '.htaccess')) { - if (current_user_can('administrator')) { - add_action('admin_notices', create_function('', "echo '

" . sprintf(__('Please make sure your .htaccess file is writable ', 'roots'), admin_url('options-permalink.php')) . "

';")); - } - } -} -if (current_theme_supports('h5bp-htaccess')) { - add_action('admin_init', 'roots_htaccess_writable'); -} - /** * Return WordPress subdirectory if applicable */