first commit

.gitignore

@@ -0,0 +1 @@
+.manual/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Alexy-OS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights    
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,118 @@
+# WordPress Headless Theme with Enhanced Security
+
+A minimal WordPress theme designed to work as a headless CMS with GraphQL support and enhanced security features. This theme serves as a backend for JAMstack applications.
+
+## Features
+
+### Headless Mode
+- Disabled frontend rendering
+- Optimized for GraphQL content delivery
+- Minimal theme structure
+- Cleaned up WordPress head and removed unnecessary features
+
+### Security Implementation
+
+#### Admin Protection
+- Custom login page through `/console/` endpoint
+- Disabled standard wp-login.php
+- Protected wp-admin access
+- Implemented security headers
+- Disabled file editing in admin panel
+
+#### Console Authentication
+- Hash-based temporary login links
+- Rate limiting protection:
+  - 5 attempts per hour per IP
+  - 3 attempts per temporary link
+  - 30 minutes link expiration
+- Brute force protection
+- Access logging
+- Session management
+
+#### API Security
+- Protected REST API endpoints
+- GraphQL access control
+- Disabled XML-RPC
+- Disabled directory browsing
+- Protected sensitive files
+
+### GraphQL Integration
+- Configured for WPGraphQL
+- Custom post type handling
+- Structured content delivery
+- API endpoint protection
+
+## Installation
+
+1. Clone this repository to your WordPress themes directory:
+```bash
+cd wp-content/themes
+git clone [repository-url] headless-theme
+```
+
+2. Add the following constants to your wp-config.php:
+```php
+define('WP_ADMIN_PROTECTION', true);
+define('CUSTOM_LOGIN_PATH', 'console');
+define('DISALLOW_FILE_EDIT', true);
+define('DISALLOW_FILE_MODS', true);
+```
+
+3. Add the security rules to your .htaccess:
+```apache
+# Protect wp-login.php and wp-admin
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteBase /
+    RewriteRule ^wp-login\.php$ - [R=403,L]
+    RewriteCond %{REQUEST_URI} ^/wp-admin
+    RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ [NC]
+    RewriteRule ^(.*)$ - [R=403,L]
+</IfModule>
+```
+
+## Usage
+
+### Accessing Admin Panel
+1. Navigate to `/console/`
+2. Get a temporary login link
+3. Use the link within 30 minutes
+4. Login with your WordPress credentials
+
+### GraphQL Queries
+The GraphQL endpoint is available at `/graphql`. Example query:
+```graphql
+query GetPosts {
+  posts {
+    nodes {
+      id
+      title
+      content
+    }
+  }
+}
+```
+
+### Security Features
+- Rate limiting is implemented at both IP and attempt levels
+- All login attempts are logged in `/console/access.log`
+- Security headers are automatically added to all responses
+- Admin area is protected from unauthorized access
+
+## File Structure
+```
+headless-theme/
+├── console/
+│   └── index.php          # Custom login implementation
+├── admin-access.php       # Admin protection logic
+├── functions.php          # Theme functionality
+├── safety-functions.php   # Security implementations
+├── index.php             # Minimal frontend
+└── style.css             # Theme declaration
+```
+
+## Contributing
+Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
+
+## License
+[MIT](LICENSE)

www-wp-headless/.htaccess

@@ -0,0 +1,72 @@
+
+# BEGIN WordPress
+# Directives (lines) between `BEGIN WordPress` and `END WordPress`
+# are generated automatically and should only be modified through WordPress filters.
+# Manually made changes between these markers will be overwritten.
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [L]
+</IfModule>
+# END WordPress
+
+# Protect wp-login.php and wp-admin
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteBase /
+
+# Allow access to admin-ajax.php
+RewriteCond %{REQUEST_URI} !^/wp-admin/admin-ajax\.php
+
+# Allow access to API if needed
+RewriteCond %{REQUEST_URI} !^/wp-json/
+
+# Block direct access to wp-login.php
+RewriteCond %{REQUEST_URI} ^/wp-login\.php
+RewriteRule ^(.*)$ - [R=403,L]
+
+# Block direct access to wp-admin for unauthorized users
+RewriteCond %{REQUEST_URI} ^/wp-admin
+RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ [NC]
+RewriteRule ^(.*)$ - [R=403,L]
+</IfModule>
+
+# Additional protection for directories
+<FilesMatch "wp-login\.php">
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
+
+# Protect against directory viewing
+Options -Indexes
+
+# Protect wp-config.php
+<Files wp-config.php>
+    Order Deny,Allow
+    Deny from all
+</Files>
+
+# Security Headers
+<IfModule mod_headers.c>
+    Header set X-XSS-Protection "1; mode=block"
+    Header set X-Frame-Options "SAMEORIGIN"
+    Header set X-Content-Type-Options "nosniff"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
+
+    # Only for HTTPS
+    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+</IfModule>
+
+# Protection against attacks via User Agent
+<IfModule mod_rewrite.c>
+    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
+    RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
+    RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
+    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC]
+    RewriteRule ^ - [F,L]
+</IfModule>