brianhansonxyz/homeproz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f754f1f6e16d1ad5cb480fe21f3172804d13d55d
homeproz/DEPENDENCIES.md
T

2.9 KiB
Raw Blame History

HomeProz Server Dependencies

This document tracks server-side dependencies required for the HomeProz WordPress site.

PHP Extensions

Extension Purpose Status
gd Image manipulation, WebP conversion Pre-installed
imagick Image manipulation, WebP conversion (alternative to GD) Pre-installed

Both extensions include WebP support, verified with:

php -r "echo 'GD WebP: ' . (function_exists('imagewebp') ? 'Yes' : 'No') . PHP_EOL;"
php -r "echo 'Imagick WebP: ' . (in_array('WEBP', Imagick::queryFormats()) ? 'Yes' : 'No') . PHP_EOL;"

Nginx Configuration

WebP Serving Rules

Added to /etc/nginx/sites-available/default on 2025-11-28:

# WebP Converter for Media - serve WebP when available
location ~ /wp-content/(?<path>.+)\.(?<ext>jpe?g|png|gif|webp)$ {
    add_header Vary Accept;
    expires 1y;
    add_header Cache-Control "public, immutable";
    access_log off;

    if ($http_accept !~* "image/webp") {
        break;
    }
    try_files /wp-content/uploads-webpc/$path.$ext.webp $uri =404;
}

Purpose: When a browser requests an image from wp-content and sends Accept: image/webp, Nginx checks for a WebP version in /wp-content/uploads-webpc/ and serves it instead. Falls back to original if WebP not available.

After changes: Run nginx -t && service nginx reload

WordPress Plugins (Image Processing)

Plugin Version Purpose
Converter for Media 6.3.2 Converts uploaded images to WebP locally using PHP GD/Imagick

The plugin stores converted WebP files in /wp-content/uploads-webpc/ mirroring the structure of /wp-content/uploads/.

WordPress Plugins (Security)

Plugin Version Purpose
All In One WP Security 5.4.4 Login protection, basic firewall, user enumeration blocking

AIOS Configuration Summary

Login Protection:

  • Max login attempts: 10
  • Retry time period: 5 minutes
  • Lockout length: 30 minutes (max 60)
  • Instant lockout usernames: admin, administrator, test
  • Generic login error messages: enabled
  • Email notifications: enabled
  • Login honeypot: enabled

Hardening:

  • File editing disabled
  • WP generator meta removed
  • Default WP file access prevented
  • User enumeration blocked
  • Unauthorized REST API blocked
  • Clickjacking protection enabled
  • Directory indexing disabled

Note: Many features (5G/6G firewall, IP blacklisting, advanced brute force) are intentionally disabled as Sucuri WAF will handle these at the edge.

Notes

  • No external APIs or services are used for image processing
  • All image conversion happens locally on the server
  • WordPress core handles thumbnail generation for all registered image sizes
  • Security hardening complements (not duplicates) Sucuri WAF features
Reference in New Issue View Git Blame Copy Permalink