'
. ''
. '
PHP version too old '
. '
SocietyPress requires PHP 8.0 or newer. This server is running PHP '
. htmlspecialchars( PHP_VERSION, ENT_QUOTES, 'UTF-8' ) . '.
'
. '
Most cPanel hosts let you change the PHP version under the "MultiPHP Manager" or "PHP Selector" tool. After upgrading to PHP 8.0+, reload this page.
'
. '
Before we begin, let's make sure your hosting can run SocietyPress.
✓ Your server meets all requirements. Ready to install!
Continue to Setup
✕ Some requirements are not met. Please resolve the issues above before continuing.
Re-Check Requirements
SP_DEMO_DB_NAME,
'user' => SP_DEMO_DB_USER,
'pass' => SP_DEMO_DB_PASS,
'host' => SP_DEMO_DB_HOST,
'prefix' => 'wp_',
];
}
// Retrieve saved form data and errors from session (if returning from a failed attempt)
$saved = $_SESSION['sp_form_data'] ?? [];
$form_errors = $_SESSION['sp_form_errors'] ?? [];
unset( $_SESSION['sp_form_errors'] );
// Keep sp_form_data in session so it survives multiple error cycles
sp_installer_render_page( 'Configure Your Site', function () use ( $nonce, $saved, $form_errors ) {
?>
This is what the SocietyPress installer looks like. The database fields below show
example values — on your own hosting, you'd fill in the real credentials from your
hosting provider. For this demo, just scroll down, enter a society name and password,
and click Install.
You'll need your database credentials from your hosting provider. If you're not sure
where to find them, check your hosting control panel (cPanel, Plesk, etc.) under
"MySQL Databases" or "Database Management."
$db_name,
'db_user' => $db_user,
'db_host' => $db_host,
'db_prefix' => $db_prefix,
'site_title' => $site_title,
'admin_email' => $admin_email,
'admin_first' => $admin_first,
'admin_last' => $admin_last,
'admin_user' => $admin_user,
'org_email' => $org_email,
'org_address' => $org_address,
'org_phone' => $org_phone,
'membership_period' => $membership_period,
'membership_start' => $membership_start,
// Passwords (db_pass, admin_pass) deliberately NOT saved to session
];
// Validate
$errors = [];
if ( empty( $db_name ) ) $errors[] = 'Database name is required.';
if ( empty( $db_user ) ) $errors[] = 'Database username is required.';
if ( empty( $site_title ) ) $errors[] = 'Society name is required.';
if ( empty( $admin_email ) || ! filter_var( $admin_email, FILTER_VALIDATE_EMAIL ) ) {
$errors[] = 'A valid admin email address is required.';
}
if ( empty( $admin_first ) ) $errors[] = 'First name is required.';
if ( empty( $admin_last ) ) $errors[] = 'Last name is required.';
// WHY explicit pattern: the HTML pattern attribute is client-side only and
// can be bypassed by anyone POSTing directly. The username flows into a
// var_export() call that becomes part of a generated PHP file; while
// var_export produces correct PHP literals (so it is not directly
// injectable), defense-in-depth says we restrict to a known-safe set.
if ( empty( $admin_user ) || ! preg_match( '/^[a-zA-Z0-9_\-.]{3,60}$/', $admin_user ) ) {
$errors[] = 'Admin username must be 3–60 characters using only letters, numbers, underscore, hyphen, or period.';
}
if ( strlen( $admin_pass ) < 8 ) {
$errors[] = 'Admin password must be at least 8 characters.';
}
if ( $admin_pass !== $admin_pass2 ) {
$errors[] = 'Passwords do not match.';
}
if ( ! empty( $db_prefix ) && ! preg_match( '/^[a-zA-Z_][a-zA-Z0-9_]*$/', $db_prefix ) ) {
$errors[] = 'Table prefix must start with a letter or underscore and contain only letters, numbers, and underscores.';
}
// WHY allowlist: $membership_period gets written into societypress_settings
// and is rendered unescaped in some admin contexts. The HTML only
// exposes three values, but a direct POST can send anything. Pin to the
// allowlist server-side; fall back to 'annual' for any unexpected value.
if ( ! in_array( $membership_period, [ 'annual', 'rolling', 'lifetime' ], true ) ) {
$membership_period = 'annual';
}
// WHY db_host pattern: this value flows into wp-config.php via a regex
// replacement below. A value containing newlines, quotes, or PHP tokens
// could escape the constant string and inject code. Restrict to the
// characters legal in a hostname / hostname:port / unix-socket path.
if ( $db_host === '' ) {
$db_host = 'localhost';
} elseif ( ! preg_match( '/^[a-zA-Z0-9._\-:\/]+$/', $db_host ) ) {
$errors[] = 'Database host contains invalid characters. Use a hostname like "localhost" or "db.example.com" (port and unix-socket paths are allowed).';
}
if ( $errors ) {
$_SESSION['sp_form_errors'] = $errors;
header( 'Location: ?step=configure' );
exit;
}
// Ensure prefix ends with underscore
if ( substr( $db_prefix, -1 ) !== '_' ) {
$db_prefix .= '_';
}
$install_dir = __DIR__;
$log = [];
// ---- 1. Test database connection ----
// WHY try/catch: PHP 8.1+ throws mysqli_sql_exception on connection failure
// instead of returning an error code. The @ suppression operator doesn't
// catch exceptions, so without this try/catch the installer shows a raw
// fatal error instead of a friendly message.
$log[] = 'Testing database connection...';
$db_error = '';
try {
$conn = new mysqli( $db_host, $db_user, $db_pass, $db_name );
if ( $conn->connect_error ) {
$db_error = $conn->connect_error;
} else {
$conn->close();
}
} catch ( mysqli_sql_exception $e ) {
$db_error = $e->getMessage();
}
if ( $db_error ) {
// Redirect back to the form with a generic error — the raw mysqli
// message contains the username, hostname, and database name and
// confirms valid users to anyone probing an exposed installer.
// The detail still goes to error_log for the admin.
@error_log( 'SocietyPress installer: database connection failed: ' . $db_error );
$_SESSION['sp_form_errors'] = [
'Could not connect to the database. Check your credentials and try again.',
'If you are sure the credentials are right, ask your hosting provider whether the database is reachable.',
];
header( 'Location: ?step=configure' );
exit;
}
$log[] = 'Database connection successful.';
// ---- 2. Download WordPress ----
$log[] = 'Downloading WordPress...';
$wp_zip_path = $install_dir . '/wordpress-latest.zip';
$wp_downloaded = sp_installer_download( SP_INSTALLER_WP_URL, $wp_zip_path );
if ( ! $wp_downloaded ) {
sp_installer_die( 'Download Failed', 'Could not download WordPress from wordpress.org. Please check that your server allows outbound HTTP connections.' );
}
$log[] = 'WordPress downloaded.';
// ---- 3. Extract WordPress ----
$log[] = 'Extracting WordPress...';
$zip = new ZipArchive();
if ( $zip->open( $wp_zip_path ) !== true ) {
@unlink( $wp_zip_path );
sp_installer_die( 'Extract Failed', 'Could not open the WordPress ZIP file.' );
}
// WordPress ZIP extracts to a "wordpress/" subdirectory — we need to move
// the contents up to the install directory.
//
// SECURITY: We do NOT use $zip->extractTo() because that performs no path
// validation. A ZIP entry named "../../etc/cron.d/evil" would escape the
// install directory and write anywhere the web user can reach. The
// wordpress.org ZIP is trusted, but trust is not a control — a MITM, a
// compromised mirror, or a corrupt download could deliver a crafted ZIP.
// We iterate entries manually and reject any whose normalized path falls
// outside the install directory.
$install_dir_real = realpath( $install_dir );
if ( $install_dir_real === false ) {
$zip->close();
sp_installer_die( 'Extract Failed', 'Install directory could not be resolved.' );
}
for ( $i = 0; $i < $zip->numFiles; $i++ ) {
$entry_name = $zip->getNameIndex( $i );
if ( $entry_name === false || $entry_name === '' ) {
continue;
}
// Reject any entry containing path-traversal sequences or null bytes,
// and reject absolute paths (Windows drive letters too).
if ( strpos( $entry_name, "\0" ) !== false
|| strpos( $entry_name, '..' ) !== false
|| $entry_name[0] === '/'
|| preg_match( '/^[A-Za-z]:/', $entry_name ) ) {
$zip->close();
sp_installer_die( 'Extract Failed', 'WordPress archive contains an unsafe entry path. Aborting for safety.' );
}
$target = $install_dir_real . DIRECTORY_SEPARATOR . $entry_name;
$is_dir = ( substr( $entry_name, -1 ) === '/' );
if ( $is_dir ) {
if ( ! is_dir( $target ) ) {
@mkdir( $target, 0755, true );
}
continue;
}
$parent = dirname( $target );
if ( ! is_dir( $parent ) ) {
@mkdir( $parent, 0755, true );
}
// Final containment check: the resolved parent directory must be the
// install dir or beneath it. realpath() returns false if the path
// doesn't exist, but mkdir above guarantees it does at this point.
// WHY trailing DIRECTORY_SEPARATOR: a bare strpos prefix-match would
// accept '/var/www/htmlevil' as inside '/var/www/html'. The trailing
// separator forces a directory-boundary match.
$parent_real = realpath( $parent );
$needle = rtrim( $install_dir_real, DIRECTORY_SEPARATOR ) . DIRECTORY_SEPARATOR;
$haystack = rtrim( $parent_real, DIRECTORY_SEPARATOR ) . DIRECTORY_SEPARATOR;
if ( $parent_real === false || strpos( $haystack, $needle ) !== 0 ) {
$zip->close();
sp_installer_die( 'Extract Failed', 'WordPress archive entry resolved outside the install directory. Aborting for safety.' );
}
$stream = $zip->getStream( $entry_name );
if ( $stream === false ) {
continue;
}
$out = fopen( $target, 'wb' );
if ( $out !== false ) {
stream_copy_to_stream( $stream, $out );
fclose( $out );
}
if ( is_resource( $stream ) ) {
fclose( $stream );
}
}
$zip->close();
@unlink( $wp_zip_path );
// Move files from wordpress/ subdirectory to install root.
// SECURITY: Source paths come from our own filesystem walk after the
// safe extraction above, so path traversal is not a concern here, but
// we still verify each target is inside $install_dir as belt-and-braces.
$wp_subdir = $install_dir . '/wordpress';
if ( is_dir( $wp_subdir ) ) {
$items = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( $wp_subdir, RecursiveDirectoryIterator::SKIP_DOTS ),
RecursiveIteratorIterator::SELF_FIRST
);
foreach ( $items as $item ) {
$relative = substr( $item->getPathname(), strlen( $wp_subdir ) + 1 );
if ( strpos( $relative, '..' ) !== false ) {
continue; // belt-and-braces; should never trigger after safe extract
}
$target = $install_dir . '/' . $relative;
if ( $item->isDir() ) {
@mkdir( $target, 0755, true );
} else {
// WHY copy+unlink fallback: on many cPanel/shared hosts the temp
// extraction and the install root can sit on different mount
// points, where rename() across devices fails silently. If the
// move fails, copy then delete the source — a universally
// reliable cross-mount pattern. If even the copy fails, abort
// loudly rather than logging a misleading "extracted" success.
if ( ! @rename( $item->getPathname(), $target ) ) {
if ( ! @copy( $item->getPathname(), $target ) ) {
sp_installer_die( 'Extract Failed', 'Could not move WordPress files into place. Check directory permissions and available disk space.' );
}
@unlink( $item->getPathname() );
}
}
}
// Clean up the now-empty wordpress directory
sp_installer_rmdir( $wp_subdir );
}
$log[] = 'WordPress extracted.';
// ---- 4. Generate security keys ----
$log[] = 'Generating security keys...';
$salts = sp_installer_download_string( SP_INSTALLER_SALT_URL );
if ( ! $salts || strpos( $salts, 'AUTH_KEY' ) === false ) {
// Fallback: generate our own keys if the API is unreachable
$salts = '';
$key_names = [
'AUTH_KEY', 'SECURE_AUTH_KEY', 'LOGGED_IN_KEY', 'NONCE_KEY',
'AUTH_SALT', 'SECURE_AUTH_SALT', 'LOGGED_IN_SALT', 'NONCE_SALT',
];
foreach ( $key_names as $name ) {
$salts .= "define( '{$name}', '" . bin2hex( random_bytes( 32 ) ) . "' );\n";
}
}
$log[] = 'Security keys generated.';
// ---- 5. Write wp-config.php ----
$log[] = 'Writing configuration file...';
$config_sample = $install_dir . '/wp-config-sample.php';
if ( ! file_exists( $config_sample ) ) {
sp_installer_die( 'Configuration Error', 'wp-config-sample.php not found. The WordPress download may be corrupted.' );
}
$config = file_get_contents( $config_sample );
// Replace database constants.
// WHY preg_replace per constant (not str_replace): wp-config-sample.php
// contains the literal "localhost" in inline comments AND in the DB_HOST
// line. A naive str_replace( "localhost", $db_host, $config ) would also
// overwrite every comment containing the word — and worse, the user's
// db_host value would land verbatim in those positions, including any
// quotes or PHP tokens it contained. Targeting only the constant's
// single-quoted string and addslashes()-escaping the user value
// contains both problems.
// WHY preg_replace_callback (not preg_replace): a literal `$1` or `${1}`
// in the user's value (cPanel-style auto-generated credentials sometimes
// include literal dollar signs followed by digits) would be parsed as
// a backreference inside a preg_replace replacement string and splice
// the captured group back in place. addslashes() doesn't touch `$`.
// The callback form treats the replacement as a plain string.
$sp_set_config_value = function ( string $constant, string $value, string $config ): string {
$escaped = addslashes( $value ); // safe for single-quoted PHP literal
$pattern = "/(define\(\s*'" . preg_quote( $constant, '/' ) . "'\s*,\s*')[^']*('\s*\)\s*;)/";
return preg_replace_callback( $pattern, function ( $m ) use ( $escaped ) {
return $m[1] . $escaped . $m[2];
}, $config, 1 );
};
$config = $sp_set_config_value( 'DB_NAME', $db_name, $config );
$config = $sp_set_config_value( 'DB_USER', $db_user, $config );
$config = $sp_set_config_value( 'DB_PASSWORD', $db_pass, $config );
$config = $sp_set_config_value( 'DB_HOST', $db_host, $config );
$sp_prefix_safe = $db_prefix; // already validated as [a-zA-Z0-9_] earlier
$config = preg_replace_callback(
'/\$table_prefix\s*=\s*\'wp_\'/',
function () use ( $sp_prefix_safe ) { return "\$table_prefix = '{$sp_prefix_safe}'"; },
$config
);
// Replace salt block — use a callback so any `$1`-style sequence in the
// upstream WP salt response (or a MITM-injected one) is treated as a
// literal, not as a backreference.
$sp_salts_block = trim( $salts ) . "\n\n";
$config = preg_replace_callback(
'/define\(\s*\'AUTH_KEY\'.*?define\(\s*\'NONCE_SALT\'[^;]*;\s*/s',
function () use ( $sp_salts_block ) { return $sp_salts_block; },
$config
);
// Add debug settings (off for production)
$config = str_replace(
"define( 'WP_DEBUG', false );",
"define( 'WP_DEBUG', false );\ndefine( 'WP_DEBUG_LOG', false );\ndefine( 'WP_DEBUG_DISPLAY', false );",
$config
);
if ( ! file_put_contents( $install_dir . '/wp-config.php', $config ) ) {
sp_installer_die( 'Write Error', 'Could not write wp-config.php. Check that the directory is writable.' );
}
$log[] = 'Configuration file written.';
// ---- 6. Prepare for WordPress installation ----
// WHY: We can't bootstrap wp-settings.php on this host (proc_open disabled,
// and WordPress's DB error handler calls die() which can't be caught). Instead,
// we let WordPress install itself via its own /wp-admin/install.php, and we
// plant a must-use plugin that auto-activates SocietyPress + theme on first load.
$log[] = 'Preparing WordPress installation...';
// Create the mu-plugin that fires once after WP installs
$mu_dir = $install_dir . '/wp-content/mu-plugins';
@mkdir( $mu_dir, 0755, true );
$mu_plugin = <<<'MUPLUGIN'
isDir() ) {
@rmdir( $item->getPathname() );
} else {
@unlink( $item->getPathname() );
}
}
@rmdir( $dir );
}
add_action( 'admin_init', function () {
// Only run once — if SocietyPress is already active, bail
$active = get_option( 'active_plugins', [] );
if ( in_array( 'societypress/societypress.php', $active, true ) ) {
// Clean up: delete this mu-plugin
@unlink( __FILE__ );
return;
}
// ---- Cleanup FIRST: remove WordPress default cruft ----
// WHY: This MUST happen before SocietyPress activation. The plugin's
// activation hook runs sp_maybe_create_default_pages(), which only
// creates a Home page if zero published pages exist. WordPress ships
// with a "Sample Page" that counts as a published page — if we don't
// delete it first, the activation hook sees it and skips homepage
// creation, leaving show_on_front stuck on "posts."
// Delete "Hello world!" post, "Sample Page", and default comment
$hello_post = get_page_by_path( 'hello-world', OBJECT, 'post' );
if ( $hello_post ) { wp_delete_post( $hello_post->ID, true ); }
$sample_page = get_page_by_path( 'sample-page' );
if ( $sample_page ) { wp_delete_post( $sample_page->ID, true ); }
$default_comments = get_comments( [ 'number' => 100 ] );
foreach ( $default_comments as $c ) {
wp_delete_comment( $c->comment_ID, true );
}
// Delete Hello Dolly — both the single-file and directory variants
$hello_file = WP_PLUGIN_DIR . '/hello.php';
if ( file_exists( $hello_file ) ) { @unlink( $hello_file ); }
$hello_dir = WP_PLUGIN_DIR . '/hello-dolly';
if ( is_dir( $hello_dir ) ) { sp_installer_mu_rmdir( $hello_dir ); }
// Delete default Twenty* themes — SocietyPress is the only theme needed.
// WHY glob instead of a hardcoded list: each WordPress release ships a new
// Twenty* theme. A fixed list goes stale and leaves the newest default on
// disk after every WP upgrade. Matching any twenty* directory future-proofs
// the cleanup with no maintenance.
$twenty_dirs = glob( get_theme_root() . '/twenty*', GLOB_ONLYDIR );
if ( is_array( $twenty_dirs ) ) {
foreach ( $twenty_dirs as $theme_dir ) {
sp_installer_mu_rmdir( $theme_dir );
}
}
// ---- NOW activate SocietyPress ----
// WHY activate_plugin() instead of update_option('active_plugins'):
// Manually adding to the active_plugins array skips register_activation_hook.
// That means sp_maybe_create_default_pages(), sp_create_tables(), and all
// the other activation setup never runs. activate_plugin() loads the plugin
// file, fires the activation hook, and does everything properly.
require_once ABSPATH . 'wp-admin/includes/plugin.php';
activate_plugin( 'societypress/societypress.php' );
// Activate parent theme
switch_theme( 'societypress' );
// Set permalinks
global $wp_rewrite;
$wp_rewrite->set_permalink_structure( '/%postname%/' );
$wp_rewrite->flush_rules( true );
// ---- Apply installer-collected SocietyPress settings ----
// WHY: The installer form collects org details and membership config so
// Harold doesn't have to re-enter them in a separate setup wizard. The
// installer writes these to a JSON file with a randomized filename
// (sp-installer-config-<32hex>.json) that we glob for here, read,
// merge into the SP settings, and delete.
// WHY initialize to null: $installer_config is only assigned inside the
// config-file block below. If glob finds nothing (write failed, or another
// process already cleaned the file), the is_array() check further down would
// otherwise read an undefined variable — a PHP 8 warning that silently skips
// admin member-record creation. Initialize so the guard is real, not luck.
$installer_config = null;
// WHY glob two locations: the installer writes this file one directory
// above the web root when that parent is writable (so it can't be fetched
// over HTTP), and falls back to ABSPATH otherwise. Check both.
$config_file = '';
$candidates = array_merge(
glob( ABSPATH . 'sp-installer-config-*.json' ) ?: [],
glob( dirname( untrailingslashit( ABSPATH ) ) . '/sp-installer-config-*.json' ) ?: []
);
// WHY validate the basename: glob only matched a wildcard. Pin each
// candidate to the exact randomized pattern (32 hex chars) so a file
// planted via some other writable-path vector can't be read as config.
$candidates = array_values( array_filter( $candidates, function ( $path ) {
return (bool) preg_match( '/^sp-installer-config-[a-f0-9]{32}\.json$/', basename( $path ) );
} ) );
if ( $candidates ) {
// Most recent wins if more than one exists (shouldn't, but defend).
usort( $candidates, function ( $a, $b ) { return filemtime( $b ) <=> filemtime( $a ); } );
$config_file = $candidates[0];
}
if ( $config_file && file_exists( $config_file ) ) {
$installer_config = json_decode( file_get_contents( $config_file ), true );
if ( is_array( $installer_config ) ) {
$sp_settings = get_option( 'societypress_settings', [] );
// Map installer fields to SP settings keys
$sp_settings['organization_name'] = $installer_config['organization_name'] ?? $sp_settings['organization_name'] ?? '';
$sp_settings['organization_email'] = $installer_config['organization_email'] ?? $sp_settings['organization_email'] ?? '';
$sp_settings['organization_address'] = $installer_config['organization_address'] ?? '';
$sp_settings['organization_phone'] = $installer_config['organization_phone'] ?? '';
$sp_settings['membership_period_type'] = $installer_config['membership_period_type'] ?? 'annual';
$sp_settings['membership_start_month'] = (int) ( $installer_config['membership_start_month'] ?? 7 );
// Email from defaults to org name + email
$sp_settings['email_from_name'] = $sp_settings['email_from_name'] ?: $sp_settings['organization_name'];
$sp_settings['email_from_email'] = $sp_settings['email_from_email'] ?: $sp_settings['organization_email'];
// Video hero defaults — the theme ships with a cinematic background
// video that plays behind the society name on the home page. This is
// the "blow their minds" first impression after install.
$theme_url = get_template_directory_uri();
if ( empty( $sp_settings['homepage_hero_type'] ) ) {
$sp_settings['homepage_hero_type'] = 'video';
$sp_settings['homepage_hero_media'] = $theme_url . '/assets/hero-background.mp4';
$sp_settings['homepage_hero_poster'] = $theme_url . '/assets/hero-background-poster.jpg';
$sp_settings['homepage_hero_headline'] = '';
$sp_settings['homepage_hero_subtitle'] = 'Preserving Our Past. Connecting Our Present.';
$sp_settings['homepage_hero_cta_text'] = 'Upcoming Events';
$sp_settings['homepage_hero_cta_url'] = '/events/';
$sp_settings['homepage_hero_overlay'] = 35;
$sp_settings['homepage_hero_height'] = 'fullscreen';
}
update_option( 'societypress_settings', $sp_settings );
// WHY: Don't mark wizard complete here — the wizard now handles
// branding uploads, package selection, and nav menu setup.
// The installer only covers org info and membership basics.
}
@unlink( $config_file );
}
// ---- Create a member record + set WP profile for the admin user ----
// WHY: The person installing SocietyPress is almost always a member.
// The installer collected their first/last name. We save it to the WP
// user profile (so WordPress knows their name) and create an SP member
// record (so the header shows their name instead of "Log In").
$admin_user = wp_get_current_user();
if ( $admin_user && $admin_user->ID && is_array( $installer_config ) ) {
$first = $installer_config['admin_first_name'] ?? '';
$last = $installer_config['admin_last_name'] ?? '';
// Save to WordPress user profile
if ( $first ) update_user_meta( $admin_user->ID, 'first_name', $first );
if ( $last ) update_user_meta( $admin_user->ID, 'last_name', $last );
if ( $first || $last ) {
wp_update_user( [
'ID' => $admin_user->ID,
'display_name' => trim( $first . ' ' . $last ),
] );
}
// Create SP member record
global $wpdb;
$members_table = $wpdb->prefix . 'sp_members';
$exists = $wpdb->get_var( $wpdb->prepare(
"SELECT user_id FROM {$members_table} WHERE user_id = %d",
$admin_user->ID
) );
if ( ! $exists ) {
if ( empty( $first ) ) $first = $admin_user->user_login;
$wpdb->insert( $members_table, [
'user_id' => $admin_user->ID,
'first_name' => $first,
'last_name' => $last,
'status' => 'active',
'join_date' => current_time( 'Y-m-d' ),
] );
}
}
// Self-destruct
@unlink( __FILE__ );
// Redirect to the setup wizard — Harold still needs to upload branding,
// choose packages, and set up navigation.
wp_safe_redirect( admin_url( 'admin.php?page=sp-setup-wizard' ) );
exit;
}, 1 );
MUPLUGIN;
if ( false === file_put_contents( $mu_dir . '/sp-auto-activate.php', $mu_plugin ) ) {
sp_installer_die( 'Write Error', 'Could not write the auto-activator. Check that the directory is writable and you have enough disk space.' );
}
$log[] = 'Auto-activator planted.';
// ---- 6b. Write installer config for the mu-plugin to pick up ----
// WHY: The mu-plugin runs in a separate request where $_POST is gone.
// We write the SP settings to a JSON file that the mu-plugin reads,
// applies to the societypress_settings option, and deletes. This is
// how the installer-collected org details reach the plugin without
// a second wizard step.
//
// WHY randomized filename: the previous fixed name `sp-installer-
// config.json` was web-readable for the few seconds between write and
// mu-plugin pickup. The file holds admin name/email/phone/address
// (no passwords). Randomizing the filename closes blind URL probing
// — the mu-plugin globs for the unique pattern.
//
// WHY one directory above the web root when possible: even with a random
// name, the file sits with no .htaccess protection (we rename .htaccess
// away below so the bridge is reachable). Writing it one level above
// __DIR__ takes it out of the document root entirely so it can never be
// fetched over HTTP. If that parent isn't writable (e.g. a root install),
// fall back to the install dir. The mu-plugin globs both locations.
$installer_config = [
'organization_name' => $site_title,
'organization_email' => $org_email ?: '',
'organization_address' => $org_address,
'organization_phone' => $org_phone,
'membership_period_type' => $membership_period,
'membership_start_month' => $membership_start,
'admin_first_name' => $admin_first,
'admin_last_name' => $admin_last,
];
$config_filename = 'sp-installer-config-' . bin2hex( random_bytes( 16 ) ) . '.json';
$config_parent = dirname( $install_dir );
$config_dir = ( $config_parent && is_dir( $config_parent ) && is_writable( $config_parent ) )
? $config_parent
: $install_dir;
if ( false === file_put_contents( $config_dir . '/' . $config_filename, json_encode( $installer_config ) ) ) {
// Last resort: try the install dir if the out-of-webroot write failed.
@file_put_contents( $install_dir . '/' . $config_filename, json_encode( $installer_config ) );
}
$log[] = 'Installer config written.';
// ---- 7. Create a bridge script that runs WordPress's install with our data ----
// WHY: We already collected the society name, admin email, username, and password
// in our form. Redirecting to wp-admin/install.php makes the user enter it all
// again — terrible UX. Instead, we create a temporary PHP script that loads
// WordPress and runs wp_install() with the values we already have. The user
// never sees WordPress's install screen.
$log[] = 'Creating install bridge...';
// Generate a one-time secret token for this bridge invocation.
// WHY: The bridge script is publicly reachable for the brief window between
// it being written and the browser hitting it. A random token in the URL
// ensures only the user whose browser was redirected here can trigger it —
// a crawler or scanner that hits /sp-bridge-install.php without the token
// gets a 403 instead of running wp_install().
$bridge_token = bin2hex( random_bytes( 16 ) );
$bridge_script = $install_dir . '/sp-bridge-install.php';
$bridge_code = 'get_error_message() );' . "\n"
. '}' . "\n"
. "\n"
. '// Write a one-time auto-login transient for the mu-plugin to pick up.' . "\n"
. '// WHY: wp_set_auth_cookie() does not work reliably during WP_INSTALLING' . "\n"
. '// because cookie constants (COOKIEPATH, COOKIE_DOMAIN) are derived from' . "\n"
. '// the siteurl option, which is set AFTER wp_install() runs but the' . "\n"
. '// constants were already defined (with wrong values) during bootstrap.' . "\n"
. '// Instead, we hand a (user_id, secret) pair to the mu-plugin which runs' . "\n"
. '// in a normal WordPress context where everything is properly initialized.' . "\n"
. '// WHY a secret: without one, any hit to wp-login.php between now and the' . "\n"
. '// legitimate browser following the redirect below would trigger auto-login' . "\n"
. '// as admin. The secret is 256 bits of random — only carried in the URL we' . "\n"
. '// are about to redirect to — so only that one request can consume the token.' . "\n"
. '// WHY a transient (not a file): a token file in wp-content is web-reachable' . "\n"
. '// on most hosts. Transients live in the DB and cannot be read over HTTP.' . "\n"
. '$sp_token_secret = bin2hex( random_bytes( 32 ) );' . "\n"
. 'set_transient( "sp_auto_login", array(' . "\n"
. ' "user_id" => (int) $result["user_id"],' . "\n"
. ' "secret" => $sp_token_secret,' . "\n"
. '), 5 * MINUTE_IN_SECONDS );' . "\n"
. "\n"
. '// Self-destruct — remove bridge script and main installer' . "\n"
. '@unlink( __FILE__ );' . "\n"
. '$installer = dirname( __FILE__ ) . "/sp-installer.php";' . "\n"
. 'if ( file_exists( $installer ) ) { @unlink( $installer ); }' . "\n"
. '// Also remove the demo sample-data loader — a dev/demo utility that' . "\n"
. '// must not linger in the web root of a finished install.' . "\n"
. '$sample = dirname( __FILE__ ) . "/load-sample-data.php";' . "\n"
. 'if ( file_exists( $sample ) ) { @unlink( $sample ); }' . "\n"
. '// WHY: leftover .htaccess.sp-bak would otherwise sit web-readable' . "\n"
. '// on Apache hosts forever, exposing the prior rewrite config.' . "\n"
. '$htaccess_bak = dirname( __FILE__ ) . "/.htaccess.sp-bak";' . "\n"
. 'if ( file_exists( $htaccess_bak ) ) { @unlink( $htaccess_bak ); }' . "\n"
. "\n"
. '// Redirect directly to wp-login.php carrying the secret. The mu-plugin\'s' . "\n"
. '// login_init hook reads the transient, verifies sp_token matches the stored' . "\n"
. '// secret, sets the auth cookie, and redirects to wp-admin.' . "\n"
. '// WHY home_url() not SCRIPT_NAME: WordPress is loaded here (wp-load.php' . "\n"
. '// above), so home_url() is the authoritative, host-config-agnostic base.' . "\n"
. '// SCRIPT_NAME can be wrong on Nginx/cPanel and is spoofable on some stacks,' . "\n"
. '// which would send the 256-bit auto-login token to the wrong URL.' . "\n"
. 'header( "Location: " . home_url( "/wp-login.php" ) . "?sp_token=" . rawurlencode( $sp_token_secret ) );' . "\n"
. 'exit;' . "\n";
if ( false === file_put_contents( $bridge_script, $bridge_code ) ) {
sp_installer_die( 'Write Error', 'Could not write the installation bridge script. Check that the directory is writable and you have enough disk space.' );
}
$log[] = 'Bridge script created.';
// Remove our .htaccess so the bridge script is reachable via HTTP
$our_htaccess = $install_dir . '/.htaccess';
$htaccess_bak = $install_dir . '/.htaccess.sp-bak';
if ( file_exists( $our_htaccess ) ) {
rename( $our_htaccess, $htaccess_bak );
}
// ---- 8. Download and install SocietyPress ----
// WHY: We extract SocietyPress BEFORE redirecting to the WordPress installer
// bridge script. The mu-plugin needs the plugin and theme files to already
// be in place when it fires on first admin page load.
// WHY: We try our own bundle URL first (hosted on getsocietypress.org) because
// it's a direct download with no redirects. GitHub's archive URLs require redirect
// following and sometimes fail on locked-down shared hosts. The bundle contains
// the plugin + parent theme + all child themes in a simple flat structure.
$log[] = 'Downloading SocietyPress...';
$sp_zip_path = $install_dir . '/societypress-latest.zip';
$sp_downloaded = false;
// Try 1: Bundle ZIP in the same directory as this installer
// WHY: The most reliable approach. If the admin uploaded societypress-bundle.zip
// alongside sp-installer.php, we just use it. No HTTP, no path guessing.
$local_bundle = $install_dir . '/societypress-bundle.zip';
if ( file_exists( $local_bundle ) ) {
$sp_downloaded = copy( $local_bundle, $sp_zip_path );
if ( $sp_downloaded ) {
$log[] = 'SocietyPress bundle found alongside installer.';
}
}
// Try 2: Download from our server via HTTP
if ( ! $sp_downloaded ) {
$log[] = 'Local copy not found, trying HTTP download...';
$sp_downloaded = sp_installer_download( SP_INSTALLER_BUNDLE_URL, $sp_zip_path );
}
// Try 3: GitHub fallback
if ( ! $sp_downloaded ) {
$log[] = 'Bundle download failed, trying GitHub...';
$gh_url = sp_installer_get_github_release_url();
if ( ! $gh_url ) {
$gh_url = 'https://github.com/' . SP_INSTALLER_GITHUB_REPO . '/archive/refs/heads/main.zip';
}
$sp_downloaded = sp_installer_download( $gh_url, $sp_zip_path );
}
if ( ! $sp_downloaded ) {
sp_installer_die(
'SocietyPress Download Failed',
'WordPress was installed successfully, but we could not download SocietyPress. '
. 'You can install it manually: download the plugin from '
. 'GitHub '
. 'and upload it through your WordPress admin panel.'
);
}
if ( ! isset( $log[ count( $log ) - 1 ] ) || strpos( $log[ count( $log ) - 1 ], 'copied' ) === false ) {
$log[] = 'SocietyPress downloaded.';
}
// ---- 9. Extract SocietyPress plugin and themes ----
$log[] = 'Installing SocietyPress plugin and themes...';
$zip = new ZipArchive();
if ( $zip->open( $sp_zip_path ) !== true ) {
@unlink( $sp_zip_path );
sp_installer_die( 'Extract Failed', 'Could not open the SocietyPress ZIP file.' );
}
// The bundle ZIP has a flat structure:
// societypress/societypress.php → wp-content/plugins/societypress/
// themes/societypress/ → wp-content/themes/societypress/
// themes/heritage/ → wp-content/themes/heritage/
// themes/coastline/ → wp-content/themes/coastline/
// themes/prairie/ → wp-content/themes/prairie/
// themes/ledger/ → wp-content/themes/ledger/
//
// If we got a GitHub ZIP instead (fallback), it has:
// SocietyPress-main/plugin/ → wp-content/plugins/societypress/
// SocietyPress-main/theme/ → wp-content/themes/societypress/
// SocietyPress-main/theme-NAME/ → wp-content/themes/NAME/
// Detect which format we got
$is_bundle = false;
$top_dir = '';
for ( $i = 0; $i < $zip->numFiles; $i++ ) {
$name = $zip->getNameIndex( $i );
if ( strpos( $name, 'societypress/societypress.php' ) === 0 ) {
$is_bundle = true;
break;
}
if ( preg_match( '#^([^/]+)/plugin/#', $name, $m ) ) {
$top_dir = $m[1];
break;
}
}
// SECURITY: Both extraction paths build $target by concatenating user-
// controllable ZIP entry names onto known install paths. A crafted entry
// like "../../../etc/cron.d/evil" would escape the wp-content directory.
// This helper validates every write: the entry name must be free of path
// traversal sequences, and the resolved parent directory must live inside
// wp-content. We close the zip and abort on any violation rather than
// silently skip — a corrupt or malicious bundle is not safe to recover from.
$wp_content_real = realpath( $install_dir . '/wp-content' );
if ( $wp_content_real === false ) {
@mkdir( $install_dir . '/wp-content', 0755, true );
$wp_content_real = realpath( $install_dir . '/wp-content' );
}
$sp_safe_extract = function ( string $entry_name, string $target, ZipArchive $zip, int $index ) use ( $wp_content_real, $sp_zip_path ) {
if ( strpos( $entry_name, "\0" ) !== false
|| strpos( $entry_name, '..' ) !== false
|| ( $entry_name !== '' && $entry_name[0] === '/' )
|| preg_match( '/^[A-Za-z]:/', $entry_name ) ) {
$zip->close();
@unlink( $sp_zip_path );
sp_installer_die( 'Extract Failed', 'SocietyPress archive contains an unsafe entry path. Aborting for safety.' );
}
$is_dir = ( substr( $entry_name, -1 ) === '/' );
$parent = $is_dir ? $target : dirname( $target );
if ( ! is_dir( $parent ) ) {
@mkdir( $parent, 0755, true );
}
$parent_real = realpath( $parent );
// WHY trailing separator: bare prefix match would let
// '/wp-contentevil' pass as inside '/wp-content'. Force boundary.
$sp_needle = rtrim( (string) $wp_content_real, DIRECTORY_SEPARATOR ) . DIRECTORY_SEPARATOR;
$sp_haystack = rtrim( (string) $parent_real, DIRECTORY_SEPARATOR ) . DIRECTORY_SEPARATOR;
if ( $parent_real === false || $wp_content_real === false || strpos( $sp_haystack, $sp_needle ) !== 0 ) {
$zip->close();
@unlink( $sp_zip_path );
sp_installer_die( 'Extract Failed', 'SocietyPress archive entry resolved outside wp-content. Aborting for safety.' );
}
if ( ! $is_dir ) {
// WHY stream instead of getFromIndex(): getFromIndex() buffers the
// entire decompressed entry in a PHP string before writing. On a
// 64 MB shared host that peak allocation can OOM mid-extraction and
// leave a partial plugin directory. Streaming keeps memory flat,
// matching the WordPress extraction path above.
$entry_stream = $zip->getStreamIndex( $index );
if ( $entry_stream !== false ) {
$out = fopen( $target, 'wb' );
if ( $out !== false ) {
stream_copy_to_stream( $entry_stream, $out );
fclose( $out );
}
if ( is_resource( $entry_stream ) ) {
fclose( $entry_stream );
}
}
}
};
if ( $is_bundle ) {
// Bundle format: extract directly
for ( $i = 0; $i < $zip->numFiles; $i++ ) {
$name = $zip->getNameIndex( $i );
// Plugin: societypress/* → plugins/societypress/*
if ( strpos( $name, 'societypress/' ) === 0 && strpos( $name, 'themes/' ) !== 0 ) {
$target = $install_dir . '/wp-content' . '/plugins/' . $name;
$sp_safe_extract( $name, $target, $zip, $i );
}
// Themes: themes/* → themes/*
if ( strpos( $name, 'themes/' ) === 0 ) {
$target = $install_dir . '/wp-content' . '/' . $name;
$sp_safe_extract( $name, $target, $zip, $i );
}
}
} elseif ( $top_dir ) {
// GitHub format: extract with path rewriting
$plugin_dir = $install_dir . '/wp-content' . '/plugins/societypress/';
@mkdir( $plugin_dir, 0755, true );
$child_themes = [ 'heritage', 'coastline', 'prairie', 'ledger', 'parlor' ];
for ( $i = 0; $i < $zip->numFiles; $i++ ) {
$name = $zip->getNameIndex( $i );
// Plugin
if ( strpos( $name, "{$top_dir}/plugin/" ) === 0 ) {
$rel = substr( $name, strlen( "{$top_dir}/plugin/" ) );
if ( $rel === '' ) continue;
$sp_safe_extract( $rel, $plugin_dir . $rel, $zip, $i );
}
// Parent theme
if ( strpos( $name, "{$top_dir}/theme/" ) === 0 && strpos( $name, "{$top_dir}/theme-" ) !== 0 ) {
$rel = substr( $name, strlen( "{$top_dir}/theme/" ) );
if ( $rel === '' ) continue;
$sp_safe_extract( $rel, $install_dir . '/wp-content' . '/themes/societypress/' . $rel, $zip, $i );
}
// Child themes
foreach ( $child_themes as $ct ) {
if ( strpos( $name, "{$top_dir}/theme-{$ct}/" ) === 0 ) {
$rel = substr( $name, strlen( "{$top_dir}/theme-{$ct}/" ) );
if ( $rel === '' ) continue;
$sp_safe_extract( $rel, $install_dir . '/wp-content' . "/themes/{$ct}/" . $rel, $zip, $i );
}
}
}
} else {
$zip->close();
@unlink( $sp_zip_path );
sp_installer_die( 'Extract Failed', 'Could not find SocietyPress in the downloaded archive.' );
}
$zip->close();
@unlink( $sp_zip_path );
$log[] = 'SocietyPress plugin and themes installed.';
// ---- 10. Redirect to the bridge script to finish WordPress install ----
// WHY: Server-to-self HTTP requests fail on this host. We redirect the user's
// browser to the bridge script, which loads WordPress in a normal HTTP context,
// runs wp_install(), sets up permalinks, self-destructs, and redirects to login.
// The mu-plugin (planted in step 7) activates SocietyPress on first admin load.
$log[] = 'Redirecting to WordPress installation...';
$_SESSION['sp_install_log'] = $log;
// WHY: Hand the admin password to the bridge script via the server-side
// session instead of embedding it in the generated PHP file. The browser
// carries the session cookie to the bridge on the redirect below; the
// bridge reads and unsets it. This keeps the plaintext password off disk.
$_SESSION['sp_bridge_pass'] = $admin_pass;
// WHY a bare relative Location: the bridge script is a sibling of this
// installer in the same directory, so a relative target ("sp-bridge-
// install.php") is unambiguous to the browser and valid per RFC 7231.
// This avoids depending on $_SERVER['SCRIPT_NAME'], which can be wrong on
// Nginx/cPanel and is influenceable on some proxy/CGI setups — a path we
// don't want the install-bridge token riding on.
// The token is appended so only this redirect can trigger the bridge script.
header( 'Location: sp-bridge-install.php?token=' . urlencode( $bridge_token ) );
exit;
}
// ============================================================================
// STEP 4: COMPLETION PAGE
// ============================================================================
/**
* Show the success page after installation.
*/
function sp_installer_show_complete(): void {
$admin_url = $_SESSION['sp_admin_url'] ?? '/wp-admin/';
$site_url = $_SESSION['sp_site_url'] ?? '/';
$log = $_SESSION['sp_install_log'] ?? [];
// WHY a scheme guard: htmlspecialchars stops HTML injection but not a
// javascript: URL used as an href. esc_url() isn't available here (WordPress
// isn't loaded in the bare installer), so reject anything that isn't a
// root-relative path or an http/https URL and fall back to safe defaults.
$sp_safe_href = static function ( string $url, string $fallback ): string {
if ( $url === '' ) {
return $fallback;
}
if ( $url[0] === '/' && ( ! isset( $url[1] ) || $url[1] !== '/' ) ) {
return $url; // root-relative path, e.g. /wp-admin/
}
if ( preg_match( '#^https?://#i', $url ) ) {
return $url;
}
return $fallback;
};
$admin_url = $sp_safe_href( (string) $admin_url, '/wp-admin/' );
$site_url = $sp_safe_href( (string) $site_url, '/' );
// Clear session data
unset( $_SESSION['sp_install_complete'], $_SESSION['sp_install_log'],
$_SESSION['sp_admin_url'], $_SESSION['sp_site_url'] );
sp_installer_render_page( 'Installation Complete!', function () use ( $admin_url, $site_url, $log ) {
?>
🎉
SocietyPress is ready!
Your site is installed and configured. The SocietyPress setup wizard will guide you
through the rest — your organization details, membership settings, and design choices.
Go to Your Dashboard →
or visit your new site
Installation Log
$fp,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_MAXREDIRS => 5,
CURLOPT_TIMEOUT => 300,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_USERAGENT => 'SocietyPress-Installer/1.0',
// CURLOPT_MAXFILESIZE checks the Content-Length header (when
// present) up front and aborts early. CURLOPT_PROGRESSFUNCTION
// catches servers that omit Content-Length by aborting once the
// running total crosses the cap.
CURLOPT_MAXFILESIZE => $max_bytes,
CURLOPT_NOPROGRESS => false,
CURLOPT_PROGRESSFUNCTION => function ( $resource, $dl_total, $dl_now, $ul_total, $ul_now ) use ( $max_bytes ) {
return ( $dl_now > $max_bytes ) ? 1 : 0; // non-zero return aborts
},
] );
$success = curl_exec( $ch );
$code = curl_getinfo( $ch, CURLINFO_HTTP_CODE );
curl_close( $ch );
fclose( $fp );
if ( $success && $code >= 200 && $code < 400 && filesize( $dest ) > 1000 && filesize( $dest ) <= $max_bytes ) {
return true;
}
@unlink( $dest );
}
// Fallback to file_get_contents
if ( ini_get( 'allow_url_fopen' ) ) {
// WHY explicit ssl context: PHP stream wrappers don't enable peer
// verification by default unless openssl.cafile / curl.cainfo is
// set in php.ini, which most shared hosts don't. Force-on here so
// a MITM can't slip a crafted bundle past us via the fallback path.
$ctx = stream_context_create( [
'http' => [
'timeout' => 300,
'user_agent' => 'SocietyPress-Installer/1.0',
'follow_location' => true,
],
'ssl' => [
'verify_peer' => true,
'verify_peer_name' => true,
],
] );
$data = @file_get_contents( $url, false, $ctx, 0, $max_bytes + 1 );
if ( $data && strlen( $data ) > 1000 && strlen( $data ) <= $max_bytes ) {
return (bool) file_put_contents( $dest, $data );
}
}
return false;
}
/**
* Download a URL and return the content as a string.
*/
function sp_installer_download_string( string $url ): ?string {
// WHY a 1 MB cap: the only callers are the WordPress salt API (~1 KB) and
// the GitHub releases API (< 100 KB). A compromised or misbehaving endpoint
// returning a multi-megabyte body would otherwise grow unbounded in memory
// until the limit or timeout fires. 1 MB is far above any legitimate size.
$max_bytes = 1024 * 1024;
if ( function_exists( 'curl_init' ) ) {
$ch = curl_init( $url );
curl_setopt_array( $ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_MAXREDIRS => 5,
CURLOPT_TIMEOUT => 30,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_USERAGENT => 'SocietyPress-Installer/1.0',
CURLOPT_MAXFILESIZE => $max_bytes,
] );
$result = curl_exec( $ch );
curl_close( $ch );
if ( $result ) return $result;
}
if ( ini_get( 'allow_url_fopen' ) ) {
// WHY: same as above — explicit peer verification on the stream
// fallback so we don't quietly skip TLS validation when shared-host
// php.ini doesn't set openssl.cafile.
$ctx = stream_context_create( [
'ssl' => [
'verify_peer' => true,
'verify_peer_name' => true,
],
] );
$result = @file_get_contents( $url, false, $ctx, 0, $max_bytes );
if ( $result ) return $result;
}
return null;
}
/**
* POST to a URL and return the response body as a string.
* Used to submit the WordPress install form programmatically.
*/
function sp_installer_download_string_post( string $url, array $data ): ?string {
if ( function_exists( 'curl_init' ) ) {
$ch = curl_init( $url );
curl_setopt_array( $ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query( $data ),
CURLOPT_TIMEOUT => 60,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_USERAGENT => 'SocietyPress-Installer/1.0',
] );
$result = curl_exec( $ch );
curl_close( $ch );
if ( $result ) return $result;
}
if ( ini_get( 'allow_url_fopen' ) ) {
$ctx = stream_context_create( [
'http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => http_build_query( $data ),
'timeout' => 60,
],
'ssl' => [
'verify_peer' => true,
'verify_peer_name' => true,
],
] );
$result = @file_get_contents( $url, false, $ctx );
if ( $result ) return $result;
}
return null;
}
/**
* Get the latest release ZIP URL from GitHub.
*/
function sp_installer_get_github_release_url(): ?string {
$api_url = 'https://api.github.com/repos/' . SP_INSTALLER_GITHUB_REPO . '/releases/latest';
$json = sp_installer_download_string( $api_url );
if ( ! $json ) return null;
$data = json_decode( $json, true );
return $data['zipball_url'] ?? null;
}
/**
* Recursively remove a directory.
*/
function sp_installer_rmdir( string $dir ): void {
if ( ! is_dir( $dir ) ) return;
$items = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator( $dir, RecursiveDirectoryIterator::SKIP_DOTS ),
RecursiveIteratorIterator::CHILD_FIRST
);
foreach ( $items as $item ) {
if ( $item->isDir() ) {
@rmdir( $item->getPathname() );
} else {
@unlink( $item->getPathname() );
}
}
@rmdir( $dir );
}
/**
* Show an error page and stop.
*/
function sp_installer_die( string $title, string $message ): void {
// WHY: If we already renamed .htaccess to .htaccess.sp-bak (so the bridge
// script could be reached over HTTP) and then hit a fatal error before the
// bridge ran its own cleanup, the site is left with no rewrite rules and
// every URL 404s on Apache. Restore the backup before showing the error.
$htaccess_bak = __DIR__ . '/.htaccess.sp-bak';
if ( file_exists( $htaccess_bak ) && ! file_exists( __DIR__ . '/.htaccess' ) ) {
@rename( $htaccess_bak, __DIR__ . '/.htaccess' );
}
sp_installer_render_page( $title, function () use ( $message ) {
echo '';
// WHY htmlspecialchars: most callers pass static literals, but a few
// include dynamic content (like raw mysqli error messages, server
// version strings, or paths). Escaping here means no caller can
// accidentally inject unescaped output into the page.
echo '
' . htmlspecialchars( $message, ENT_QUOTES, 'UTF-8' ) . '
';
echo '
Go Back ';
} );
exit;
}
/**
* Render a full HTML page with SocietyPress branding.
*
* WHY: Every page the installer shows should look professional and on-brand.
* This is Harold's first impression of SocietyPress — it needs to feel polished
* and trustworthy, not like a raw PHP script.
*/
function sp_installer_render_page( string $title, callable $content ): void {
?>
<?php echo htmlspecialchars( $title , ENT_QUOTES, 'UTF-8'); ?> — SocietyPress Installer