fix: harden WordPress content rendering

This commit is contained in:
bisco
2026-06-26 15:54:57 +02:00
parent 482928a296
commit 0762b98fc6
8 changed files with 43 additions and 18 deletions
+3 -2
View File
@@ -8,8 +8,9 @@ nor MariaDB publishes a host port; automated security checks guard this assumpti
The custom `azionelab` classic theme renders the public single page. Theme modifications
store the hero, manifesto, laboratory, teacher, lesson, and contact fields. The
`azionelab-content` must-use plugin registers Shows and Gallery custom post types so
structured editorial content survives a theme change. Images use WordPress featured
images with local SVG fallbacks.
structured editorial content survives a theme change. These custom post types are
editorial data sources for the homepage, not standalone public routes or REST
collections. Images use WordPress featured images with local SVG fallbacks.
WP-CLI is an opt-in tools-profile service. Its idempotent bootstrap installs WordPress,
activates the theme, configures the site, and creates realistic demo content. Certbot is
+3
View File
@@ -6,6 +6,9 @@
ignored and real secrets must come from the deployment secret manager.
- WordPress uses its normal capability, nonce, authentication, cookie, and password
controls. Theme settings sanitize input and templates escape output.
- Structured Shows and Gallery content is editable in WordPress admin but is consumed
by the homepage only; it is not exposed as standalone public routes or REST
collections.
- File editing is always disabled. Production also disables web-based core, theme, and
plugin changes; patched images are rebuilt and redeployed instead.
- XML-RPC and comments are disabled. NGINX blocks PHP execution below uploads, dotfiles,