{"id":50637394,"url":"https://github.com/fifoqueue/hide-wp-surface","last_synced_at":"2026-06-07T04:02:18.731Z","repository":{"id":362908822,"uuid":"1261223398","full_name":"fifoqueue/hide-wp-surface","owner":"fifoqueue","description":"Hide WordPress files and directories, and removes unnecessary metadata for enhanced security.","archived":false,"fork":false,"pushed_at":"2026-06-06T15:11:51.000Z","size":195,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-06T15:13:54.603Z","etag":null,"topics":["wordpress"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fifoqueue.png","metadata":{"files":{"readme":"readme.txt","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-06T12:00:38.000Z","updated_at":"2026-06-06T15:04:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fifoqueue/hide-wp-surface","commit_stats":null,"previous_names":["fifoqueue/hide-wp"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/fifoqueue/hide-wp-surface","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fifoqueue%2Fhide-wp-surface","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fifoqueue%2Fhide-wp-surface/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fifoqueue%2Fhide-wp-surface/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fifoqueue%2Fhide-wp-surface/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fifoqueue","download_url":"https://codeload.github.com/fifoqueue/hide-wp-surface/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fifoqueue%2Fhide-wp-surface/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34008068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-07T02:00:07.652Z","response_time":124,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["wordpress"],"created_at":"2026-06-07T04:02:18.061Z","updated_at":"2026-06-07T04:02:18.700Z","avatar_url":"https://github.com/fifoqueue.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"=== Hide WP Surface ===\nContributors: fifoqueue\nRequires at least: 7.0\nTested up to: 7.0\nRequires PHP: 8.3\nStable tag: 0.1.29\nLicense: GPLv2 or later\nLicense URI: https://www.gnu.org/licenses/gpl-2.0.html\n\nHides the WordPress login route and exposes verified aliases for common WordPress paths without editing server configuration automatically.\n\n== Description ==\n\nHide WP Surface reduces common WordPress fingerprints and automated requests:\n\n* Replaces wp-login.php with a configurable login path.\n* Exposes independently selectable verified aliases for wp-admin, wp-content, and wp-includes.\n* Sends original server paths to the active theme's 404 template only after loopback verification succeeds.\n* Sends nonessential readme, license, and sample configuration disclosure files to the theme 404 while aliases are active.\n* Rewrites core, plugin, theme, media, responsive image, redirect, and HTML attribute URLs.\n* Removes optional generator, discovery, pingback, and core version hints.\n* Uses generic login errors to reduce account enumeration feedback.\n* Provides an emergency recovery constant and recovery file.\n\nPath hiding is not an authentication or authorization boundary. Keep WordPress, plugins, and themes updated and use strong passwords, MFA, rate limiting, backups, and a WAF where appropriate.\n\n== Requirements ==\n\n* WordPress 7.0 or later.\n* PHP 8.3 or later.\n* HTTPS.\n* Apache 2.4 with mod_rewrite and .htaccess overrides, or a security-patched Nginx build. For upstream Nginx, use 1.30.2/1.31.1 or later.\n* A single-site installation. Multisite is intentionally unsupported.\n* wp-content must use the same origin and URL directory as the WordPress installation.\n* The WordPress URL directory must contain only ASCII letters, numbers, dots, underscores, tildes, and hyphens.\n\n== Installation ==\n\n1. Install and activate the plugin.\n2. Open Settings \u003e Hide WP Surface.\n3. Save the desired paths and integration options.\n4. Back up the web server configuration.\n5. Replace any older Hide WP Surface block, then install the generated Apache or Nginx block exactly where the settings page instructs.\n6. Reload Nginx when applicable.\n7. Verify the login path. The original wp-login.php remains available until this check passes.\n8. Select Verify and Enable for wp-admin, wp-content, and wp-includes aliases.\n\nThe plugin does not edit .htaccess, Nginx configuration, or virtual host files. Server configuration is an infrastructure boundary and must remain under the operator's control.\n\nThe generated Nginx block uses the rewrite module. Do not deploy it on an upstream Nginx release affected by CVE-2026-9256. The login alias is rewritten directly to wp-login.php so login, SSO, and OIDC plugins run through the native WordPress login bootstrap.\n\n\n== Automatic Updates ==\n\nHide WP Surface can check GitHub Releases for updates. Configure the repository and optional GitHub token on Settings \u003e Hide WP Surface. A token is recommended for private repositories or hosts that hit GitHub's unauthenticated API rate limit.\n\nTo publish an update with the included GitHub Actions workflow:\n\n1. Bump the `Version` header in `hide-wp.php`, `HIDE_WP_VERSION`, and the `Stable tag` in `readme.txt`.\n2. Add a changelog entry for the new version.\n3. Commit the change and push it to `main` or `master`.\n4. The workflow reads the plugin version, creates the matching tag such as `v0.1.20`, builds `hide-wp-surface.zip`, and uploads it to the GitHub Release.\n5. If the matching version tag already exists, the workflow fails so an existing release is not overwritten accidentally.\n\nThe updater prefers release assets named `hide-wp-surface.zip`, `hide-wp-master.zip`, or `hide-wp.zip`, and otherwise uses the first `.zip` release asset. Commits update WordPress only after the workflow creates a versioned GitHub Release with a ZIP asset.\n\n`HIDE_WP_GITHUB_REPOSITORY`, `HIDE_WP_GITHUB_TOKEN`, and `HIDE_WP_DISABLE_GITHUB_UPDATER` constants are still honored for operators who need environment-level overrides, but the plugin settings are the normal configuration path.\n\n== Emergency Recovery ==\n\nFor PHP-side recovery only, add the following to wp-config.php:\n\n`define( 'HIDE_WP_RECOVERY_MODE', true );`\n\nFor full recovery from generated Apache or Nginx rules, create an empty file named `.hide-wp-recovery` in the WordPress root directory.\n\nThe generated server rules cannot read a PHP constant. They check the recovery file and immediately stop aliases and original-path blocking. Remove the constant or file only after correcting the configuration.\n\n== Compatibility Notes ==\n\nPlugins or themes that hard-code original WordPress URLs in opaque JavaScript, custom JSON, or third-party caches may need their own URL filters or cache purge. Verify changes on staging before production.\n\nThe plugin intentionally does not disable REST, XML-RPC, AJAX, cron, feeds, media, updates, or plugin/theme APIs because doing so can break normal WordPress behavior.\n\n== Privacy ==\n\nThe plugin sends no telemetry. Route verification requests are loopback requests to the configured WordPress origin. When GitHub update checks are enabled, the plugin contacts the configured GitHub repository and GitHub API to retrieve release metadata and update packages.\n\n== Changelog ==\n\n= 0.1.29 =\n* Made generated Nginx aliases follow the activation and probe markers so disabling path aliases stops the aliases as well as original-path blocking.\n* Generated login aliases only when custom login is enabled and made Apache and Nginx login aliases honor the emergency recovery file.\n* Migrated installations without a saved alias token to one persistent token instead of generating a different default during each settings read.\n* Corrected the privacy documentation to disclose GitHub release checks when automatic updates are enabled.\n* Added a Composer lock file so release builds package a reproducible Plugin Update Checker version.\n\n= 0.1.28 =\n* Forced a fresh GitHub release check before `wp plugin update` so WP-CLI does not rely on Plugin Update Checker's normal 12-hour schedule.\n* Added the same forced-check API to the bundled updater fallback for installations without Composer dependencies.\n\n= 0.1.27 =\n* Kept final HTML path rewriting enabled for administrator responses even when a page-cache plugin defines `WP_CACHE`.\n* Restored aliased `load-scripts.php` and `load-styles.php` URLs on administrator pages while continuing to skip final rewriting for cacheable front-end responses.\n\n= 0.1.26 =\n* Skipped final `WP_HTML_Tag_Processor` rewriting on cacheable `GET` and `HEAD` requests when WordPress page caching is enabled.\n* Preserved final HTML rewriting for uncached requests, including `POST` requests and responses marked with `DONOTCACHEPAGE`.\n* Kept URL generation filters and fingerprint cleanup active so page-cache compatibility does not disable the rest of the plugin.\n\n= 0.1.25 =\n* Prevented custom login responses from being stored by page-cache plugins through the widely supported `DONOTCACHEPAGE` signal and no-cache response headers.\n* Requested an optimization bypass through the conventional `DONOTMINIFY` signal without depending on cache-plugin-specific hooks.\n* Kept cache exclusions scoped to the configured login alias so normal front-end pages remain cacheable.\n\n= 0.1.24 =\n* Normalized server-rewritten login aliases to the native wp-login.php request context before login rendering and OIDC plugins run.\n* Fixed Authorizer compatibility so `/login` is not mistaken for an embedded login form return URL, avoiding the redundant post-OIDC redirect back to the login page.\n* Kept OAuth2/OIDC callback query parameters intact while removing only the private alias handoff parameter.\n\n= 0.1.23 =\n* Added Korean localization and standardized the plugin text domain as `hide-wp-surface`.\n* Added translation catalog validation and release-time MO/PHP language file generation to CI.\n* Split the settings page into accessible tabs for paths and login, server integration, fingerprint cleanup, and updates.\n* Preserved the active settings tab through URL hashes and keyboard navigation while keeping all settings in one save operation.\n* Replaced the hard-coded `/control/admin-ajax.php` guidance with the currently configured wp-admin alias path.\n* Stopped tracking local IntelliJ IDEA module metadata and generated translation binaries.\n\n= 0.1.22 =\n* Changed generated login alias rules to rewrite /login directly to wp-login.php with the internal alias flag, so OIDC/login plugins see the native WordPress login bootstrap instead of a late PHP include.\n* Fixed compatibility with plugins such as Authorizer that disable the native WordPress login form by avoiding the fallback login loader when the request already came through a verified alias rewrite.\n* Preserved the standard rewrite/FastCGI compatibility split for Nginx wp-admin aliases while sharing the same alias key and token with the login rewrite.\n* Improved internal alias flag handling so verified alias rewrites can pass through original WordPress entry points without being mistaken for direct wp-login.php or wp-admin access.\n\n= 0.1.21 =\n* Changed the default Nginx wp-admin alias integration to a simpler rewrite mode that appends an internal alias flag and uses the site's normal PHP handler.\n* Kept the previous direct FastCGI wp-admin alias as an optional compatibility mode for Nginx stacks where standard rewrites are swallowed by the WordPress front controller.\n* Added configurable Nginx admin alias mode, alias query key, and alias token settings.\n* Replaced the custom GitHub updater hooks with a Plugin Update Checker-compatible integration.\n* Added plugin settings for GitHub repository and token so update configuration no longer requires wp-config.php constants.\n* Updated release packaging to install the Plugin Update Checker dependency during CI builds when Composer is available.\n\n= 0.1.20 =\n* Fixed generated Nginx wp-admin alias handling for static admin assets such as `/control/js/common.js`.\n* Replaced the regex `alias`-based static asset mapping with a `rewrite ... break` plus explicit `root` mapping, which is more reliable across Nginx builds and avoids checking the aliased `/control/...` path on disk.\n\n= 0.1.19 =\n* Fixed Nginx wp-admin aliases for static admin assets such as js, css, images, fonts, and source maps.\n* Replaced the generic wp-admin alias static location with a capture-based alias location so /control/js/... maps directly to /wp-admin/js/... instead of checking the wrong /control/... filesystem path.\n\n= 0.1.18 =\n* Changed generated Nginx wp-admin aliases to execute admin PHP files directly through FastCGI, avoiding theme 404s, broken load-styles.php/load-scripts.php, and database-upgrade-screen side effects caused by front-controller routing.\n* Added a Nginx FastCGI pass setting used by the generated admin alias block.\n* Added GitHub updater settings for repository, enable/disable state, and an optional API token so update checks no longer require wp-config.php constants.\n* Added GitHub API token support to the updater for private repositories and rate-limit avoidance.\n* Cleared update transients when GitHub updater settings change.\n\n= 0.1.17 =\n* Changed generated Nginx admin alias routing to server-level native rewrites so /control/admin-ajax.php and load-styles.php reach wp-admin before generic WordPress front-controller handling.\n* Added stronger updater diagnostics support for custom GitHub releases.\n\n= 0.1.16 =\n* Restored wp-admin aliases to direct server rewrites so WordPress admin bootstrap, load-styles.php, and load-scripts.php execute in their native context.\n* Removed the front-controller admin alias handoff that could show the WordPress database upgrade screen and break admin CSS/JS.\n* Improved Nginx guidance for placing alias locations before generic PHP/static locations.\n\n= 0.1.15 =\n* Changed generated Nginx wp-admin alias routing to send admin alias requests through WordPress index.php, allowing PHP to validate activation/probe markers instead of relying on Nginx file checks.\n* Fixed wp-admin alias verification on Nginx setups where /control/admin-ajax.php was intercepted by generic PHP/static handling or where Nginx could not see the runtime marker file.\n* Preserved admin alias query strings while removing the internal handoff parameter before loading wp-admin targets.\n* Fixed Update URI diagnostics by returning same-version GitHub release metadata to WordPress so successful checks appear under no_update instead of looking like the updater did not run.\n\n= 0.1.14 =\n* Reworked generated Nginx alias rules to use explicit location blocks so aliased PHP files such as admin-ajax.php are not intercepted by generic PHP locations before the alias rewrite runs.\n* Added clearer Nginx placement guidance for verified server aliases.\n* Made runtime marker writes idempotent so stale marker files from a failed verification attempt can be reused safely.\n* Added explicit updater diagnostics guidance for GitHub Release checks.\n\n= 0.1.13 =\n* Fixed Nginx alias verification failures when the web server user could not traverse the runtime marker directory.\n* Changed runtime marker directory permissions to be web-server-readable so Nginx `-f` checks can see verification and activation markers.\n* Fixed GitHub Actions release metadata stamping by avoiding shell quoting issues in the inline PHP script.\n\n= 0.1.12 =\n* Fixed admin alias fallback so it does not re-enter WordPress admin bootstrap when the web server has already routed the request to wp-admin.\n* Improved GitHub updater compatibility by stamping release packages with the current GitHub repository and by exposing update data through both WordPress update transient paths.\n\n= 0.1.11 =\n* Fixed a fatal error when an admin alias request was already rewritten to a wp-admin PHP script by the web server.\n* Prevented the admin alias PHP fallback from recursively requiring the same wp-admin target during WordPress admin bootstrap.\n\n= 0.1.10 =\n* Fixed original path verification on servers that pass the internally rewritten /index.php URI to PHP by adding an explicit original-path handoff parameter to generated Apache and Nginx rules.\n* Improved original path 404 handling so the request guard can recognize server-routed original WordPress paths even when REQUEST_URI was changed by the web server.\n\n= 0.1.9 =\n* Restored the Settings action link on the Plugins screen.\n* Added a WordPress-level fallback for wp-admin alias requests that reach the front controller, including admin-ajax.php verification requests.\n* Improved wp-admin alias verification error details with the checked URL, HTTP status, and a short response excerpt.\n* Reduced GitHub release caching so newly published releases can appear during the next WordPress update check.\n* Added a repository-specific updater cache key to avoid stale release data when the GitHub repository changes.\n\n\n= 0.1.8 =\n* Moved server marker files to a stable wp-content runtime directory to avoid breakage when the plugin folder name changes.\n* Kept compatibility with existing marker files while sites transition to the newly generated server block.\n* Fixed Nginx original-path blocking so internally rewritten admin aliases are not mistaken for direct wp-admin requests.\n\n\n= 0.1.7 =\n\n* Fixed GitHub update detection for plugins with an `Update URI` header by adding WordPress' hostname-specific `update_plugins_github.com` update provider.\n* Fixed update payload compatibility by returning the `version` field required by WordPress' Update URI update flow.\n* Improved GitHub release caching so releases without an attached ZIP package are not cached as successful update metadata for six hours.\n* Kept the legacy update transient filter as a compatibility fallback for older/custom update checks.\n\n= 0.1.6 =\n\n* Fixed custom login requests so the aliased login route preserves the original query string when handing the request to wp-login.php.\n* Fixed OIDC and other external login callbacks that arrive at paths such as /login?code=...\u0026state=... by emulating the native wp-login.php request URI before loading WordPress' login controller.\n* Updated generated Nginx rewrite rules to preserve request arguments explicitly with `$is_args$args` for login, admin, asset, include, and protected original-path rewrites.\n\n= 0.1.5 =\n\n* Fixed a fatal error on OIDC and cache-plugin logout flows where third-party code calls the `send_auth_cookies` filter with fewer arguments than WordPress passes during normal login.\n* Added explicit alias-cookie clearing on WordPress' `clear_auth_cookie` action instead of treating shortened `send_auth_cookies` calls as a full login-cookie event.\n* Renamed the generated release package and top-level plugin directory from `hide-wp-master` to `hide-wp-surface`.\n* Updated the GitHub Actions release workflow to build `hide-wp-surface.zip` with a `hide-wp-surface/` top-level directory.\n\n= 0.1.4 =\n\n* Added a GitHub Actions workflow that validates plugin metadata, lints PHP files, builds a production ZIP, uploads workflow artifacts, and publishes the ZIP to tagged GitHub Releases.\n* Fixed protected original-path 404 rendering so the active theme receives a normal front-end 404 request instead of a stripped-down synthetic query.\n* Fixed admin bar visibility on protected original-path 404 responses for logged-in users who normally show the front-end admin bar.\n* Fixed generated Nginx alias rewrites to restart location matching instead of staying in the current location.\n* Fixed the admin alias root path so requests such as /control and /control/ route to wp-admin/index.php instead of falling through to a 404.\n\n= 0.1.3 =\n\n* Added GitHub Releases based update checks for custom plugin updates outside WordPress.org.\n* Added one-click update package support when a compatible ZIP asset is attached to the latest GitHub release.\n* Added plugin information modal details from the latest GitHub release notes.\n* Added update cache clearing after plugin upgrades.\n\n= 0.1.2 =\n\n* Added independent enable/disable controls for wp-admin, wp-content, and wp-includes server aliases.\n* Added per-alias server configuration generation, so Apache and Nginx rules are generated only for selected aliases.\n* Added per-alias verification checks for selected server aliases.\n* Added status messaging to distinguish current verified paths from newly saved paths that still require verification.\n* Fixed an issue where saving path settings immediately disabled existing verified rewrite rules.\n* Fixed live routing so the previously verified alias set remains active until the newly saved alias configuration passes verification.\n* Fixed original path blocking so only enabled and verified aliases are blocked.\n* Fixed auth cookie path handling to use the active verified admin alias instead of an unverified saved admin path.\n* Improved verification failure handling by restoring the previous path alias marker when possible.\n* Improved backwards compatibility for existing installations by migrating legacy verified path state to the new per-alias state model.\n\n= 0.1.1 =\n\n* Render protected original paths through the active theme's 404 template.\n* Store verified server state separately from sanitized administrator settings.\n\n= 0.1.0 =\n\n* Initial security-focused implementation for WordPress 7.0 and PHP 8.3.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffifoqueue%2Fhide-wp-surface","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffifoqueue%2Fhide-wp-surface","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffifoqueue%2Fhide-wp-surface/lists"}