add instructions to README

Author: dannyvankooten

README.md

@@ -3,13 +3,13 @@ ibericode mods
 
 A collection of lightweight WordPress plugins that we commonly use on our sites.
 
-- Allow SVG uploads
+- Reject all WP Login attempts if submitted within 2.5 seconds of page load.
+- Configure `wp_mail()` to use SMTP through a few PHP constants.
+- Allow SVG uploads for administrators.
 - Disable the `/wp-json/wp/v2/users` REST API endpoint.
+- Set HTTP `Cache-Control` header on all safe requests for logged-out users.
 - Adds `Robots: noindex` HTTP header to all non-singular pages (except the front page).
-- Reject all WP Login attempts if submitted within 2.5 seconds of page load.
 - Purge Bunny CDN Cache on `save_post`
-- Set HTTP `Cache-Control` header on all safe requests for logged-out users.
-- Configure `wp_mail()` to use SMTP.
 - Automatically mark comments as spam through a collection of empirically discovered checks.
 
 Some of these are simple no-ops if the relevant PHP constants are not set.
@@ -22,6 +22,31 @@ Go to **Plugins > Add Plugin > Upload Plugin** to install the plugin.
 
 Alternatively, download or clone this repository and place in `/wp-content/plugins/`.
 
+
+## Configuring
+
+### Email through SMTP
+
+To configure WordPress to send emails via SMTP instead of the default `mail()` function, define the following constants in your `wp-config.php` file:
+
+```php
+define( 'SMTP_HOST', 'smtp.example.com' );
+define( 'SMTP_USER', 'youremail@example.com' );
+define( 'SMTP_PASSWORD', 'your_password' ); // Optional
+define( 'SMTP_PORT', 587 ); // Optional
+define( 'SMTP_ENCRYPTION', 'tls' ); // Optional, defaults to 'tls' (PHPMailer::ENCRYPTION_STARTTLS)
+```
+
+The plugin will automatically use `SMTP_USER` as the default "From" email address.
+
+### Bunny CDN Purging
+
+To automatically purge the Bunny CDN cache for a post's URL (and the sitemap) when it is saved or updated, define your Bunny API key in your `wp-config.php` file:
+
+```php
+define( 'BUNNY_API_KEY', 'your-bunny-cdn-api-key' );
+```
+
 ## License
 
 GPL v2 or later

includes/allow-svg-uploads.php

@@ -1,5 +1,8 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 add_filter('upload_mimes', function (array $mime_types): array {
     if (current_user_can('manage_options')) {
         $mime_types['svg'] = 'image/svg+xml';

includes/disable-rest-api-users-endpoint.php

@@ -1,5 +1,8 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 // Do not allow access to WordPress REST API for non-logged-in users
 add_filter('rest_authentication_errors', function ($result) {
     if (is_wp_error($result)) {

includes/disable-xmlrpc.php

@@ -1,3 +1,6 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 add_filter('xmlrpc_enabled', '__return_false');

includes/noindex-archive-pages.php

@@ -1,5 +1,8 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 add_filter('wp_robots', function (array $robots): array {
     if (!is_singular() && !is_front_page()) {
         $robots['noindex'] = true;

includes/protect-wp-login.php

@@ -1,5 +1,8 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 add_action('login_footer', function () {
     ?><style>
         #wp-submit {

includes/purge-bunny-cdn-cache.php

@@ -2,6 +2,9 @@
 
 namespace ibericode;
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 function purge_cache_for_url(string $url)
 {
     $request_url = 'https://api.bunny.net/purge?url=' . urlencode($url);

includes/set-cache-headers.php

@@ -1,30 +1,33 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 add_filter('wp_headers', function ($headers) {
     if (WP_DEBUG || isset($headers['Cache-Control']) || is_admin()) {
         return $headers;
     }
 
     // only set cache-headers on safe HTTP methods
     $method = $_SERVER['REQUEST_METHOD'] ?? 'POST';
-    if ($method !== 'GET') {
+    if ($method !== 'GET' && $method !== 'HEAD') {
         return $headers;
     }
 
     // never set cache headers for logged-in users
     if (is_user_logged_in()) {
         $headers['Cache-Control'] = 'must-revalidate, max-age=0, private';
 
-    // cache 404 pages for 1 hour
+    // cache 404 pages for 1 hour (shared), 5 minutes (browser)
     } elseif (is_404()) {
-        $headers['Cache-Control'] = 'public, max-age=3600';
+        $headers['Cache-Control'] = 'public, s-max-age=3600, max-age=300';
 
-    // cache feeds and XML files (ie sitemap) for 1 day
+    // cache feeds and XML files (ie sitemap) for 1 day (both shared and browser)
     } elseif (is_feed() || str_ends_with($_SERVER['REQUEST_URI'] ?? '', '.xml')) {
         $headers['Cache-Control'] = 'public, max-age=86400';
-    // cache all other pages for 30 days
+    // cache all other pages for 30 days (shared) or 1 day (browser cache)
     } else {
-        $headers['Cache-Control'] = 'public, max-age=2592000';
+        $headers['Cache-Control'] = 'public, s-max-age=2592000, max-age=86400';
     }
 
     return $headers;

includes/smtp-mailer.php

@@ -2,6 +2,9 @@
 
 use PHPMailer\PHPMailer\PHPMailer;
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 add_action('phpmailer_init', function (PHPMailer $phpmailer) {
     // make sure all configuration constants are given
     if (! defined('SMTP_HOST') || ! defined('SMTP_USER')) {

includes/stop-comment-spam.php

@@ -1,5 +1,8 @@
 <?php
 
+// Prevent direct file access
+defined('ABSPATH') or exit;
+
 /**
  * @param mixed $approved One of 1, 0, 'spam', 'trash', WP_Error
  * @param array $commentdata {