├── .env
├── .github
    └── workflows
    │   └── docker-build-push.yaml
├── .gitignore
├── Dockerfile
├── LICENSE
├── README.md
├── config
    ├── fpm-pool.conf
    ├── my.cnf
    ├── nginx.conf
    ├── nginx_includes
    │   ├── .gitkeep
    │   └── include.conf
    ├── php.ini
    └── supervisord.conf
├── docker-compose.yml
├── entrypoint.sh
├── rootfs.sh
├── rootfs
    └── .gitkeep
├── wp-config.php
└── wp-secrets.php


/.env:
--------------------------------------------------------------------------------
 1 | # All of these are being read by wp-config.php
 2 | DISABLE_WP_CRON=true
 3 | DB_NAME=wordpress
 4 | DB_USER=wordpress
 5 | DB_PASSWORD=wordpress
 6 | DB_HOST=mysql
 7 | DB_CHARSET=latin1
 8 | DB_COLLATE=''
 9 | TABLE_PREFIX=wp_
10 | FS_METHOD=direct
11 | WP_DEBUG=false
12 | WP_DEBUG_DISPLAY=false
13 | EMPTY_TRASH_DAYS=7
14 | WP_POST_REVISIONS=10
15 | 
16 | MARIADB_ROOT_PASSWORD=wordpress
17 | MARIADB_DATABASE=wordpress
18 | MARIADB_USER=wordpress
19 | MARIADB_PASSWORD=wordpress
20 | 


--------------------------------------------------------------------------------
/.github/workflows/docker-build-push.yaml:
--------------------------------------------------------------------------------
 1 | name: Docker build and push
 2 | 
 3 | on:
 4 |   workflow_dispatch:
 5 |   schedule:
 6 |     - cron: "0 0 * * *"
 7 |   push:
 8 |     tags:
 9 | 
10 | env:
11 |   REGISTRY: ghcr.io
12 |   IMAGE_NAME: wordpress
13 |   USER: nidr0x
14 | 
15 | jobs:
16 |   build-and-push:
17 |     name: Build and push
18 |     runs-on: ubuntu-latest
19 | 
20 |     steps:
21 |       - name: Checkout repo
22 |         uses: actions/checkout@v4
23 | 
24 |       - name: Set up QEMU
25 |         uses: docker/setup-qemu-action@v3
26 | 
27 |       - name: Set up Docker Buildx
28 |         uses: docker/setup-buildx-action@v3
29 | 
30 |       - name: Log in to the Container registry
31 |         uses: docker/login-action@v3
32 |         with:
33 |           registry: ${{ env.REGISTRY }}
34 |           username: ${{ github.actor }}
35 |           password: ${{ secrets.GITHUB_TOKEN }}
36 | 
37 |       - name: Extract metadata (tags, labels) for Docker
38 |         uses: docker/metadata-action@v5
39 |         with:
40 |           images: ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }}
41 | 
42 |       - uses: oprypin/find-latest-tag@v1
43 |         with:
44 |           repository: nidr0x/docker-production-wordpress
45 |           releases-only: true
46 |         id: wordpress
47 | 
48 |       - name: Build Docker image
49 |         uses: docker/build-push-action@v6
50 |         with:
51 |           context: .
52 |           push: true
53 |           platforms: linux/amd64, linux/386, linux/arm64
54 |           tags: |
55 |             ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }}:${{ steps.wordpress.outputs.tag }}
56 |             ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }}:latest
57 |           labels: ${{ steps.meta.outputs.labels }}
58 |           cache-from: type=gha
59 |           cache-to: type=gha,mode=max
60 | 
61 |   image-security:
62 |     name: Image security scan (Trivy)
63 |     runs-on: ubuntu-latest
64 |     needs: build-and-push
65 |     strategy:
66 |       matrix:
67 |         platforms: [linux/amd64, linux/386, linux/arm64]
68 | 
69 |     steps:
70 |       - name: Run Trivy vulnerability scanner
71 |         uses: aquasecurity/trivy-action@0.20.0
72 |         with:
73 |           image-ref: "${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }}:${{ steps.wordpress.outputs.tag }}"
74 |         env:
75 |           TRIVY_PLATFORM: ${{ matrix.platforms }}
76 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | ### macOS ###
 2 | # General
 3 | .DS_Store
 4 | .AppleDouble
 5 | .LSOverride
 6 | 
 7 | # Icon must end with two \r
 8 | Icon
 9 | 
10 | # Thumbnails
11 | ._*
12 | 
13 | # Files that might appear in the root of a volume
14 | .DocumentRevisions-V100
15 | .fseventsd
16 | .Spotlight-V100
17 | .TemporaryItems
18 | .Trashes
19 | .VolumeIcon.icns
20 | .com.apple.timemachine.donotpresent
21 | 
22 | # Directories potentially created on remote AFP share
23 | .AppleDB
24 | .AppleDesktop
25 | Network Trash Folder
26 | Temporary Items
27 | .apdisk
28 | 
29 | ### macOS Patch ###
30 | # iCloud generated files
31 | *.icloud
32 | 
33 | ### Vim ###
34 | # Swap
35 | [._]*.s[a-v][a-z]
36 | !*.svg  # comment out if you don't need vector files
37 | [._]*.sw[a-p]
38 | [._]s[a-rt-v][a-z]
39 | [._]ss[a-gi-z]
40 | [._]sw[a-p]
41 | 
42 | # Session
43 | Session.vim
44 | Sessionx.vim
45 | 
46 | # Temporary
47 | .netrwhist
48 | *~
49 | # Auto-generated tag files
50 | tags
51 | # Persistent undo
52 | [._]*.un~
53 | 
54 | # Other stuff
55 | config/nginx_includes/*.conf
56 | letsencrypt/
57 | wp-content/
58 | images/
59 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
  1 | FROM curlimages/curl:8.13.0 AS download
  2 | ENTRYPOINT []
  3 | USER root
  4 | 
  5 | ENV WPCLI_DOWNLOAD_SHA256=a39021ac809530ea607580dbf93afbc46ba02f86b6cffd03de4b126ca53079f6
  6 | ENV WPCLI_VERSION=2.11.0
  7 | 
  8 | RUN curl -sfo /tmp/wp -L https://github.com/wp-cli/wp-cli/releases/download/v${WPCLI_VERSION}/wp-cli-${WPCLI_VERSION}.phar \
  9 |   && echo "$WPCLI_DOWNLOAD_SHA256 /tmp/wp" | sha256sum -c - \
 10 |   && chmod +x /tmp/wp
 11 | 
 12 | RUN set -x \
 13 |   && curl -f https://api.wordpress.org/secret-key/1.1/salt/ >> /tmp/wp-secrets.php
 14 | 
 15 | FROM public.ecr.aws/docker/library/alpine:3.21
 16 | 
 17 | LABEL Maintainer="Carlos R <nidr0x@gmail.com>" \
 18 |   Description="Slim WordPress image using Alpine Linux"
 19 | 
 20 | ENV WP_VERSION=6.8.1
 21 | ENV WP_LOCALE=en_US
 22 | 
 23 | ARG UID=82
 24 | ARG GID=82
 25 | 
 26 | RUN adduser -u $UID -D -S -G www-data www-data \
 27 |   && apk add --no-cache \
 28 |   php84 \
 29 |   php84-fpm \
 30 |   php84-mysqli \
 31 |   php84-json \
 32 |   php84-openssl \
 33 |   php84-curl \
 34 |   php84-simplexml \
 35 |   php84-ctype \
 36 |   php84-mbstring \
 37 |   php84-gd \
 38 |   php84-exif \
 39 |   nginx \
 40 |   supervisor \
 41 |   php84-zlib \
 42 |   php84-xml \
 43 |   php84-phar \
 44 |   php84-intl \
 45 |   php84-dom \
 46 |   php84-xmlreader \
 47 |   php84-zip \
 48 |   php84-opcache \
 49 |   php84-fileinfo \
 50 |   php84-iconv \
 51 |   less
 52 | 
 53 | RUN { \
 54 |   echo 'opcache.memory_consumption=128'; \
 55 |   echo 'opcache.interned_strings_buffer=8'; \
 56 |   echo 'opcache.max_accelerated_files=4000'; \
 57 |   echo 'opcache.revalidate_freq=2'; \
 58 |   echo 'opcache.fast_shutdown=1'; \
 59 |   } > /etc/php84/conf.d/opcache-recommended.ini
 60 | 
 61 | VOLUME /var/www/wp-content
 62 | 
 63 | WORKDIR /usr/src
 64 | 
 65 | RUN set -x \
 66 |   && mkdir /usr/src/wordpress \
 67 |   && chown -R $UID:$GID /usr/src/wordpress \
 68 |   && sed -i s/';cgi.fix_pathinfo=1/cgi.fix_pathinfo=0'/g /etc/php84/php.ini \
 69 |   && sed -i s/'expose_php = On/expose_php = Off'/g /etc/php84/php.ini \
 70 |   && ln -s /usr/sbin/php-fpm84 /usr/sbin/php-fpm \
 71 |   && ln -s /usr/bin/php84 /usr/bin/php
 72 | 
 73 | COPY config/nginx.conf /etc/nginx/nginx.conf
 74 | COPY config/fpm-pool.conf /etc/php84/php-fpm.d/zzz_custom_fpm_pool.conf
 75 | COPY config/php.ini /etc/php84/conf.d/zzz_custom_php.ini
 76 | COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 77 | COPY config/nginx_includes/* /etc/nginx/includes/
 78 | COPY --chown=${UID} wp-config.php /usr/src/wordpress
 79 | COPY rootfs.sh /usr/local/bin/
 80 | RUN chmod +x /usr/local/bin/rootfs.sh
 81 | COPY --from=download --chown=${UID} /tmp/wp /usr/local/bin/wp
 82 | COPY --from=download --chown=${UID} /tmp/wp-secrets.php /usr/src/wordpress/wp-secrets.php
 83 | 
 84 | RUN set -x \
 85 |   && chown -R $UID:$GID /etc/nginx \
 86 |   && chown -R $UID:$GID /var/lib/nginx \
 87 |   && chmod -R g+w /etc/nginx \
 88 |   && chmod g+wx /var/log/ \
 89 |   && ln -sf /dev/stderr /var/lib/nginx/logs/error.log \
 90 |   && deluser nginx \
 91 |   && rm -rf /tmp/* \
 92 |   && chmod 660 /usr/src/wordpress/wp-config.php \
 93 |   && sed -i '1s/^/<?php \n/' /usr/src/wordpress/wp-secrets.php \
 94 |   && rm -rf /var/www/localhost
 95 | 
 96 | USER ${UID}
 97 | 
 98 | RUN set -x \
 99 |   && wp core download --path=/usr/src/wordpress --version="${WP_VERSION}" --skip-content --locale="${WP_LOCALE}"
100 | 
101 | WORKDIR /var/www/wp-content
102 | 
103 | EXPOSE 8080
104 | 
105 | STOPSIGNAL SIGQUIT
106 | 
107 | CMD ["supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
108 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Carlos Rodríguez 
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # rootless WordPress Docker Container
 2 | 
 3 | This Dockerfile installs WordPress 6.x, along with the latest [wp-cli](https://wp-cli.org/) (used to download the WordPress as well), supervisor, nginx 1.24, and PHP-FPM 8.1 (on-demand PM) on Alpine Linux. It's designed as a rootless image, for heavy-load production sites and is currently being used in multiple environments without any issues.
 4 | 
 5 | The `wp-config.php` file included in this container is configured to use environmental variables, making management much easier. The nginx configuration has also been heavily tweaked and optimized. Additionally, the container runs a system cron instead of WP cron, as the latter is not very reliable.
 6 | 
 7 | Also, it has a script managed by `supervisor` process which copies all data automatically from `/data` and put into `/usr/src/wordpress` if you want to add files to the root folder, like `robots.txt`.
 8 | 
 9 | The current image size is around 80 MB, and the goal of this project is to make it even smaller.
10 | 
11 | ## Prerequisites
12 | 
13 | Before using this Docker image, make sure you have the following software installed:
14 | 
15 | - Docker
16 | - docker-compose
17 | 
18 | ## Usage
19 | 
20 | To obtain this Docker image, simply pull it from the GHCR.
21 | 
22 | ```
23 |     $ docker pull ghcr.io/nidr0x/wordpress:latest
24 | ```
25 | 
26 | ## Usage with Docker-Compose
27 | 
28 | If you wish to spin up a running environment, you can use docker-compose.
29 | 
30 | ```
31 |     $ docker-compose up -d
32 | ```
33 | 
34 | ## Contribution
35 | 
36 | If you would like to contribute to this project, feel free to open an issue or submit a pull request on GitHub.
37 | 
38 | ## References
39 | 
40 | * https://github.com/docker-library/wordpress
41 | * https://codeable.io/wordpress-developers-intro-to-docker-part-one/
42 | * https://codeable.io/wordpress-developers-intro-to-docker-part-two/
43 | * https://github.com/TrafeX/docker-php-nginx/
44 | * https://hub.docker.com/_/wordpress/
45 | 


--------------------------------------------------------------------------------
/config/fpm-pool.conf:
--------------------------------------------------------------------------------
 1 | [www]
 2 | pm = ondemand
 3 | pm.max_children = 120
 4 | rlimit_files = 51200
 5 | listen.allowed_clients = 127.0.0.1
 6 | rlimit_core = 0
 7 | pm.process_idle_timeout = 10s;
 8 | pm.max_requests = 1000
 9 | clear_env = no
10 | request_terminate_timeout = 300
11 | request_slowlog_timeout = 0
12 | catch_workers_output = yes
13 | listen = 9000
14 | php_admin_value[memory_limit] = 1024M
15 | catch_workers_output = yes
16 | decorate_workers_output = no
17 | access.log = /dev/stdout
18 | pm.status_path = /status
19 | ping.path = /ping
20 | ping.response = pong
21 | 
22 | [global]
23 | daemonize = no
24 | error_log = /dev/stderr
25 | 


--------------------------------------------------------------------------------
/config/my.cnf:
--------------------------------------------------------------------------------
 1 | [mysqld]
 2 | max_allowed_packet = 16M
 3 | skip-name-resolve
 4 | performance_schema=ON
 5 | max_connections = 151
 6 | wait_timeout = 300
 7 | interactive_timeout = 28800
 8 | general_log_file = /var/log/mysql/mysql.log
 9 | log_error=/var/log/mysql/mysql_error.log
10 | 
11 | # Sort buffer is used to perform sorts for some ORDER BY and GROUP BY
12 | # queries. If sorted data does not fit into the sort buffer, a disk
13 | # based merge sort is used instead - See the "Sort_merge_passes"
14 | # status variable. Allocated per thread if sort is needed.
15 | # Comment out for now, the default in MariaDB 10.2 is 2M
16 | sort_buffer_size = 2M
17 | join_buffer_size = 8M
18 | thread_cache_size = 16
19 | key_buffer_size = 4M
20 | 
21 | # Size of the buffer used for doing full table scans.
22 | # Allocated per thread, if a full scan is needed.
23 | read_buffer_size = 1M
24 | key_buffer_size = 24M
25 | tmp_table_size = 64M
26 | 
27 | 
28 | # When reading rows in sorted order after a sort, the rows are read
29 | # through this buffer to avoid disk seeks. You can improve ORDER BY
30 | # performance a lot, if set this to a high value.
31 | # Allocated per thread, when needed.
32 | read_rnd_buffer_size = 8M
33 | 
34 | join_buffer_size = 8M # should be equal to read_rnd_buffer_size?
35 | 
36 | # Maximum allowed size for a single HEAP (in memory) table. This option
37 | # is a protection against the accidential creation of a very large HEAP
38 | # table which could otherwise use up all memory resources.
39 | max_heap_table_size = 64M
40 | tmp_table_size = 64M # Should be equal to max_heap_table_size
41 | 
42 | ## Generally, it is unwise to set the query cache to be larger than 64-128M
43 | ## as the costs associated with maintaining the cache outweigh the performance
44 | ## gains.
45 | ## The query cache is a well known bottleneck that can be seen even when
46 | ## concurrency is moderate. The best option is to disable it from day 1
47 | ## by setting query_cache_size = 0 (now the default on MySQL 5.6)
48 | ## and to use other ways to speed up read queries: good indexing, adding
49 | ## replicas to spread the read load or using an external cache.
50 | query_cache_type = OFF
51 | query_cache_size = 0
52 | query_cache_strip_comments = on
53 | query_cache_min_res_unit = 2K
54 | # query_cache_limit = 256K # Default is 1M now
55 | 
56 | thread_cache_size = 16
57 | table_open_cache = 4096
58 | table_definition_cache = 1024
59 | 
60 | #
61 | # InnoDB
62 | #
63 | # The buffer pool is where data and indexes are cached: having it as large as possible
64 | # will ensure you use memory and not disks for most read operations.
65 | # Typical values are 50..75% of available RAM.
66 | innodb_buffer_pool_size = 1600M # 75% of 1GB RAM
67 | innodb_log_file_size = 192M # 25% of innodb_buffer_pool_size
68 | innodb_flush_method	= O_DIRECT
69 | innodb=ON
70 | concurrent_insert   = ALWAYS 
71 | 
72 | # This setting should be set to 0 (disabled) on SSDs which do not have
73 | # any performance gains with sequential IO.
74 | innodb_flush_neighbors = 0
75 | 
76 | # The default setting of 1 means that InnoDB is fully ACID compliant.
77 | # It is the best value when your primary concern is data safety, for instance on a master.
78 | # However it can have a significant overhead on systems with slow disks because of the
79 | # extra fsyncs that are needed to flush each change to the redo logs.
80 | # Setting it to 2 is a bit less reliable because committed transactions will be
81 | # flushed to the redo logs only once a second, but that can be acceptable on some situations
82 | # for a master and that is definitely a good value for a replica. 0 is even faster
83 | # but you are more likely to lose some data in case of a crash: it is only a good value for a replica.
84 | innodb_flush_log_at_trx_commit = 0
85 | innodb_log-file_size = 400M
86 | 
87 | # Conquer an InnoDB crash with `InnoDB: A long semaphore wait` error
88 | # See http://stackoverflow.com/questions/24860111/warning-a-long-semaphore-wait
89 | # See http://www.markleith.co.uk/2009/05/13/innodb_stats_on_metadata-innodb_adaptive_hash_index/
90 | innodb_adaptive_hash_index = off
91 | 
92 | # Kill iddle connections after 10min
93 | wait_timeout = 600
94 | 
95 | expire_logs_days = 14
96 | 
97 | [mysqldump]
98 | max-allowed-packet = 16M
99 | 


--------------------------------------------------------------------------------
/config/nginx.conf:
--------------------------------------------------------------------------------
  1 | worker_processes auto;
  2 | pid /tmp/nginx.pid;
  3 | worker_rlimit_nofile 51200;
  4 | pcre_jit on;
  5 | error_log /dev/stderr notice;
  6 | 
  7 | events {
  8 |     use epoll;
  9 |     worker_connections  1024;
 10 |     multi_accept on;
 11 | }
 12 | 
 13 | http {
 14 |     include mime.types;
 15 |     default_type application/octet-stream;
 16 |     server_names_hash_bucket_size 128;
 17 |     client_header_buffer_size 32k;
 18 |     large_client_header_buffers 4 32k;
 19 |     client_max_body_size 1024m;
 20 |     client_body_buffer_size 10m;
 21 |     sendfile on;
 22 |     tcp_nopush on;
 23 |     keepalive_timeout 120;
 24 |     server_tokens off;
 25 |     tcp_nodelay on;
 26 |     absolute_redirect off;
 27 |     # Cloudflare IPs
 28 |     set_real_ip_from 103.21.244.0/22;
 29 |     set_real_ip_from 103.22.200.0/22;
 30 |     set_real_ip_from 103.31.4.0/22;
 31 |     set_real_ip_from 104.16.0.0/12;
 32 |     set_real_ip_from 108.162.192.0/18;
 33 |     set_real_ip_from 131.0.72.0/22;
 34 |     set_real_ip_from 141.101.64.0/18;
 35 |     set_real_ip_from 162.158.0.0/15;
 36 |     set_real_ip_from 172.64.0.0/13;
 37 |     set_real_ip_from 173.245.48.0/20;
 38 |     set_real_ip_from 188.114.96.0/20;
 39 |     set_real_ip_from 190.93.240.0/20;
 40 |     set_real_ip_from 197.234.240.0/22;
 41 |     set_real_ip_from 198.41.128.0/17;
 42 |     set_real_ip_from 199.27.128.0/21;
 43 |     set_real_ip_from 2400:cb00::/32;
 44 |     set_real_ip_from 2606:4700::/32;
 45 |     set_real_ip_from 2803:f800::/32;
 46 |     set_real_ip_from 2405:b500::/32;
 47 |     set_real_ip_from 2405:8100::/32;
 48 |     real_ip_header CF-Connecting-IP;
 49 | 
 50 |     log_format  main_timed  '$remote_addr - $remote_user [$time_local] "$request" '
 51 |                             '$status $body_bytes_sent "$http_referer" '
 52 |                             '"$http_user_agent" "$http_x_forwarded_for" '
 53 |                             '$request_time $upstream_response_time $pipe $upstream_cache_status';
 54 | 
 55 |     access_log /dev/stdout main_timed;
 56 |     error_log /dev/stderr notice;
 57 | 
 58 |     gzip on;
 59 |     gzip_buffers 16 8k;
 60 |     gzip_comp_level 6;
 61 |     gzip_http_version 1.1;
 62 |     gzip_min_length 256;
 63 |     gzip_proxied any;
 64 |     gzip_vary on;
 65 |     gzip_types
 66 |       text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
 67 |       text/javascript application/javascript application/x-javascript
 68 |       text/x-json application/json application/x-web-app-manifest+json
 69 |       text/css text/plain text/x-component
 70 |       font/opentype application/x-font-ttf application/vnd.ms-fontobject
 71 |       image/x-icon;
 72 |     gzip_disable "MSIE [1-6]\.(?!.*SV1)";
 73 | 
 74 |     server {
 75 |         listen [::]:8080 default_server;
 76 |         listen 8080 default_server;
 77 |         server_name _;
 78 | 
 79 |         sendfile off;
 80 | 
 81 |         proxy_buffer_size 128k;
 82 |         proxy_buffers 4 256k;
 83 |         proxy_busy_buffers_size 256k;
 84 |         proxy_temp_path /tmp/proxy_temp;
 85 |         client_body_temp_path /tmp/client_temp;
 86 |         fastcgi_temp_path /tmp/fastcgi_temp;
 87 |         uwsgi_temp_path /tmp/uwsgi_temp;
 88 |         scgi_temp_path /tmp/scgi_temp;
 89 | 
 90 |         client_max_body_size 50m;
 91 |         client_body_buffer_size 128k;
 92 | 
 93 |         root /usr/src/wordpress;
 94 |         index index.php;
 95 |         include /etc/nginx/includes/*.conf;
 96 | 
 97 |         location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)$ { deny all; }
 98 |         location ~ /(\.DS_Store|wp-config.php|wp-config-sample.php|readme.html.gz|readme.txt.gz|readme.html|readme.txt|error_log|license.txt|changelog|changelog.txt) { access_log off; log_not_found off; deny all; }
 99 |         location = /favicon.ico { access_log off; log_not_found off; expires 30d; }
100 |         location ~ ~$           { access_log off; log_not_found off; deny all; }
101 |         location ~* \.(xml|xsl)$ { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; }
102 |         location /robots.txt { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; }
103 |         location /wp-cron.php { add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0"; expires -1; }
104 |         location ~ /(.*?/)?debug\.log$ { access_log off; deny all; }
105 | 
106 |         location /wp-content {
107 |             root /var/www;
108 |             expires 7d;
109 |             add_header Cache-Control "public";
110 |         }
111 | 
112 |         location / {
113 |             try_files $uri $uri/ /index.php?$args;
114 |         }
115 | 
116 |         location ~ [^/]\.php(/|$) {
117 |             try_files $uri =404;
118 |             fastcgi_split_path_info ^(.+\.php)(/.+)$;
119 |             fastcgi_connect_timeout 300;
120 |             fastcgi_send_timeout 300;
121 |             fastcgi_read_timeout 300;
122 |             fastcgi_buffer_size 64k;
123 |             fastcgi_buffers 4 64k;
124 |             fastcgi_busy_buffers_size 128k;
125 |             fastcgi_temp_file_write_size 128k;
126 |             fastcgi_intercept_errors on;
127 | 
128 |             fastcgi_index index.php;
129 |             fastcgi_pass 127.0.0.1:9000;
130 | 
131 |             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
132 |             include fastcgi_params;
133 |         }
134 |     }
135 | }
136 | 
137 | 


--------------------------------------------------------------------------------
/config/nginx_includes/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nidr0x/docker-production-wordpress/42ae6d6912d3f653b1c70bfde300f70cdc1ce39b/config/nginx_includes/.gitkeep


--------------------------------------------------------------------------------
/config/nginx_includes/include.conf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nidr0x/docker-production-wordpress/42ae6d6912d3f653b1c70bfde300f70cdc1ce39b/config/nginx_includes/include.conf


--------------------------------------------------------------------------------
/config/php.ini:
--------------------------------------------------------------------------------
 1 | ; Redirect errors to the container stderr
 2 | error_log = "/dev/stderr"
 3 | 
 4 | max_input_time = 60
 5 | max_input_vars = 1000
 6 | variables_order = "EGPCS"
 7 | expose_php = Off
 8 | post_max_size = 50M
 9 | upload_max_filesize = 50M
10 | disable_functions = passthru,system,chroot,chgrp,chown,shell_exec,ini_alter,ini_restore,readlink,symlink,stream_socket_server,fsocket
11 | 
12 | [Date]
13 | date.timezone = "UTC"
14 | 


--------------------------------------------------------------------------------
/config/supervisord.conf:
--------------------------------------------------------------------------------
 1 | [supervisord]
 2 | nodaemon=true
 3 | logfile=/dev/null
 4 | logfile_maxbytes=0
 5 | pidfile=/tmp/supervisord.pid
 6 | user=www-data
 7 | 
 8 | [program:php-fpm]
 9 | command=php-fpm -F
10 | stderr_logfile=/dev/stderr
11 | stdout_logfile=/dev/stdout
12 | stdout_logfile_maxbytes=0
13 | stderr_logfile_maxbytes=0
14 | autorestart=true
15 | 
16 | [program:nginx]
17 | command=nginx -g 'daemon off;'
18 | stderr_logfile=/dev/stderr
19 | stdout_logfile=/dev/stdout
20 | stdout_logfile_maxbytes=0
21 | stderr_logfile_maxbytes=0
22 | autorestart=true
23 | 
24 | [program:cron]
25 | command=/usr/sbin/crond -f
26 | autostart=true
27 | autorestart=true
28 | redirect_stderr=true
29 | 
30 | [program:rootfs]
31 | command=/bin/ash /usr/local/bin/rootfs.sh
32 | autostart=true
33 | autorestart=true
34 | redirect_stderr=true
35 | startretries=3
36 | 
37 | [program:wp-cron]
38 | command=php /usr/src/wordpress/wp-cron.php
39 | interval=1m
40 | 


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3.7'
 2 | 
 3 | volumes:
 4 |   vol-wp-content:
 5 |   vol-wp-images:
 6 |   vol-wp-db:
 7 | 
 8 | networks:
 9 |   traefik:
10 |     external: true
11 |   backend:
12 | 
13 | services:
14 | 
15 |   traefik:
16 |     image: traefik:2.10
17 |     logging:
18 |       options:
19 |         max-size: "10m"
20 |         max-file: "3"
21 |     container_name: traefik
22 |     restart: unless-stopped
23 |     networks:
24 |       - traefik
25 |     ports:
26 |       - "80:80"
27 |       - "443:443"
28 |       - "8080:8080"
29 |     command:
30 |       - "--providers.docker=true"
31 |       - "--providers.docker.exposedbydefault=false"
32 |       - "--entrypoints.web.address=:80"
33 |       - "--entrypoints.web-secure.address=:443"
34 |       - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
35 |       - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
36 |       - "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
37 |       - "--certificatesresolvers.myhttpchallenge.acme.email=me@mail.com"
38 |       - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
39 |     volumes:
40 |       - "./letsencrypt:/letsencrypt"
41 |       - /var/run/docker.sock:/var/run/docker.sock:ro
42 |       - /etc/localtime:/etc/localtime:ro
43 |       - /etc/timezone:/etc/timezone:ro
44 | 
45 |   db:
46 |     image: mariadb:11.0
47 |     logging:
48 |       options:
49 |         max-size: "10m"
50 |         max-file: "3"
51 |     container_name: mysql
52 |     command: --default-authentication-plugin=mysql_native_password
53 |     restart: unless-stopped
54 |     env_file:
55 |       - .env
56 |     volumes:
57 |       - vol-wp-db:/var/lib/mysql
58 |       - ./config/my.cnf:/etc/mysql/conf.d/zzz_my.cnf
59 |       - /etc/localtime:/etc/localtime:ro
60 |       - /etc/timezone:/etc/timezone:ro
61 |     networks:
62 |       - backend
63 | 
64 |   wordpress:
65 |     depends_on:
66 |       - db
67 |     networks:
68 |       - traefik
69 |       - backend
70 |     container_name: wordpress
71 |     logging:
72 |       options:
73 |         max-size: "10m"
74 |         max-file: "3"
75 |     restart: always
76 |     env_file:
77 |       - .env
78 |     build: ./
79 |     ports:
80 |       - "127.0.0.1:8081:8080"
81 |     volumes:
82 |       - ./wp-content:/var/www/wp-content
83 |       - ./images:/usr/src/wordpress/images
84 |       - /etc/localtime:/etc/localtime:ro
85 |       - /etc/timezone:/etc/timezone:ro
86 |       - ./rootfs:/data
87 |     labels:
88 |       - "traefik.enable=true"
89 |       - "traefik.docker.network=traefik"
90 |       - "traefik.http.routers.wordpresscp.rule=Host(`mywp.com`)"
91 |       - "traefik.http.routers.wordpresscp.entrypoints=web"
92 |       - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
93 |       - "traefik.http.routers.wordpresscp.middlewares=redirect-to-https@docker"
94 |       - "traefik.http.routers.wordpresscp-secured.rule=Host(`mywp.com`)"
95 |       - "traefik.http.routers.wordpresscp-secured.entrypoints=web-secure"
96 |       - "traefik.http.routers.wordpresscp-secured.tls=true"
97 |       - "traefik.http.routers.wordpresscp-secured.tls.certresolver=myhttpchallenge"
98 | 
99 | 


--------------------------------------------------------------------------------
/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | set -e
4 | 
5 | curl -f https://api.wordpress.org/secret-key/1.1/salt/ >> /usr/src/wordpress/wp-secrets.php
6 | 
7 | exec "$@"
8 | 


--------------------------------------------------------------------------------
/rootfs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -ex
 3 | 
 4 | src_dir="/data"
 5 | dst_dir="/usr/src/wordpress"
 6 | 
 7 | if [ ! "$(ls -A $src_dir)" ]; then
 8 |     exit 0
 9 | fi
10 | 
11 | mkdir -p $dst_dir
12 | 
13 | for file in $src_dir/*; do
14 |     filename=$(basename $file)
15 |     if [ ! -L "$dst_dir/$filename" ] || [ "$(readlink "$dst_dir/$filename")" != "$file" ]; then
16 |         ln -sf $file $dst_dir/$filename
17 |     fi
18 | done
19 | 


--------------------------------------------------------------------------------
/rootfs/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nidr0x/docker-production-wordpress/42ae6d6912d3f653b1c70bfde300f70cdc1ce39b/rootfs/.gitkeep


--------------------------------------------------------------------------------
/wp-config.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && 'https' == $_SERVER['HTTP_X_FORWARDED_PROTO']) {
 3 |     $_SERVER['HTTPS'] = 'on';
 4 | }
 5 | 
 6 | define('WP_CONTENT_DIR', '/var/www/wp-content');
 7 | define('WP_AUTO_UPDATE_CORE', false );
 8 | 
 9 | $table_prefix  = getenv('TABLE_PREFIX') ?: 'wp_';
10 | 
11 | foreach ($_ENV as $key => $value) {
12 |     $capitalized = strtoupper($key);
13 |     if (!defined($capitalized)) {
14 |         define($capitalized, $value);
15 |     }
16 | }
17 | 
18 | if (!defined('ABSPATH')) {
19 |     define('ABSPATH', dirname(__FILE__) . '/');
20 | }
21 | 
22 | require_once(ABSPATH . 'wp-secrets.php');
23 | require_once(ABSPATH . 'wp-settings.php');
24 | @ini_set('display_errors', 0);
25 | 


--------------------------------------------------------------------------------
/wp-secrets.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 


--------------------------------------------------------------------------------