PHPackages builtnorth/wp-baseline - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. builtnorth/wp-baseline ActiveLibrary[Security](/categories/security) builtnorth/wp-baseline ====================== Adds baseline functionality to WordPress. For example, security features, admin cleanup, svg sanitization, and more. v3.2.3(2mo ago)196[1 issues](https://github.com/builtnorth/wp-baseline/issues)GPL-2.0-or-laterPHPPHP >=8.0CI passing Since Sep 7Pushed 2mo agoCompare [ Source](https://github.com/builtnorth/wp-baseline)[ Packagist](https://packagist.org/packages/builtnorth/wp-baseline)[ RSS](/packages/builtnorth-wp-baseline/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (10)Versions (14)Used By (0) WP Baseline =========== [](#wp-baseline) WP Baseline is a Composer package that provides baseline functionality for WordPress. Some of the functionality includes: - Cleanup of unnecessary WordPress features - Enhanced security measures - SVG upload support with sanitization - Cleanup of the admin dashboard - Duplicate post/page functionality Requirements ------------ [](#requirements) - PHP >= 8 - WordPress >= 6 Installation & Usage ------------------------ [](#installation--usage) This library is meant to be dropped into a theme or plugin via composer. 1. In your WordPress project directory, run: `composer require builtnorth/wp-baseline`. 2. In your main plugin file or theme's functions.php, add: ``` if (class_exists('BuiltNorth\WPBaseline\App')) { $baseline = BuiltNorth\WPBaseline\App::instance(); $baseline->boot(); } ``` Features -------- [](#features) ### Disable Comments [](#disable-comments) Comments remain enabled by default. To disable them, set this filter to return true: ``` add_filter('wpbaseline_disable_comments', '__return_true'); ``` When comments are disabled, WP Baseline comprehensively removes all comment functionality: **Backend Changes:** - Removes comment support from all post types - Closes comments on all existing posts - Removes Comments menu from admin - Removes Discussion settings page - Removes comment widgets from dashboard - Redirects comment admin pages to dashboard - Removes comment link from admin bar - Disables comment REST API endpoints **Frontend Changes:** - Disables comment feeds - Removes Recent Comments widget - Dequeues comment reply scripts - Removes discussion panel from block editor **Block Editor:** - Removes all comment-related blocks including: - Comment templates and content - Comment forms and reply links - Comment pagination - Latest comments - Post comment counts and links ### Howdy Text [](#howdy-text) By default the "Howdy" text is removed from the admin bar. You can customize this and add your own text using the following filter: ``` add_filter('wpbaseline_howdy_text', function ($text) { return 'Hey,'; }); ``` ### Admin Bar [](#admin-bar) By default the WP logo, search, and updates nodes are removed from the admin bar. They can be re-enabled using the following filter: ``` add_filter('wpbaseline_clean_admin_bar', '__return_false'); ``` ### Dashboard Widgets [](#dashboard-widgets) Most core dashboard widgets are removed. They can be re-enabled using the following filter: ``` add_filter('wpbaseline_remove_dashboard_widgets', '__return_false'); ``` ### Emojis [](#emojis) Emojis are disabled. They can be re-enabled using the following filter: ``` add_filter('wpbaseline_disable_emojis', '__return_false'); ``` ### Auto Update Emails [](#auto-update-emails) Auto update emails are disabled. Additionally, the from name in the email is customized based on the site name. This functionality can be reverted back to the default by using the filter: ``` add_filter('wpbaseline_disable_update_emails', '__return_false'); ``` ### Asset Version Numbering [](#asset-version-numbering) Wordpress adds a version query argument to all enqueued assets by default. This exposes the version number, which can be a security risk. WP Baseline replaces the version number with `filemtime` of the theme's style.css file by default with a fallback to `date('Ymd')`. However, you can set a custom version by defining a constant in your theme or plugin: ``` define('YOUR_THEME_VERSION', '1.2.9'); add_filter('wpbaseline_asset_version_constant', function () { return 'YOUR_THEME_VERSION'; }); ``` ### Security Headers [](#security-headers) WP Baseline implements security headers by default for enhanced security. These include: - Content Security Policy (CSP) - X-Content-Type-Options - X-Frame-Options - And more... To disable all security headers: ``` add_filter('wpbaseline_enable_security_headers', '__return_false'); ``` To modify specific headers or CSP rules, use these filters: ``` // Modify security headers add_filter('wpbaseline_security_headers', function($headers) { // Customize headers $headers['X-Frame-Options'] = 'DENY'; return $headers; }); ``` ### Login Security [](#login-security) The following items have been added to enhance login security: - Prevent username login - Returnsa generic login error message - Disable autocomplete for login fields To disable login security enhancements, use the following filter: ``` add_filter('wpbaseline_login_security', '__return_false'); ``` ### REST API User Endpoints [](#rest-api-user-endpoints) REST API user endpoints are restricted to users with the `list_users` capability by default. To disable this restriction and make the user endpoint publicly accessible again use this filter: ``` add_filter('wpbaseline_disable_user_rest_endpoints', '__return_false'); ``` ### XMLRPC [](#xmlrpc) XMLRPC is disabled by default. To re-enable it, use the following filter: ``` add_filter('wpbaseline_disable_xmlrpc', '__return_false'); ``` ### SVG Support [](#svg-support) Adds support for SVG uploads. SVGs are automatically sanitized upon upload using the [enshrined/svg-sanitize](https://github.com/darylldoyle/svg-sanitizer) library for security to remove potentially malicious content. To disable SVG support, use the following filter: ``` add_filter('wpbaseline_enable_svg_uploads', '__return_false'); ``` ### Additional MIME Types [](#additional-mime-types) Support for JSON and Lottie file uploads is available but disabled by default for security. To enable JSON uploads: ``` add_filter('wpbaseline_enable_json_uploads', '__return_true'); ``` To enable JSON sanitization (optional, off by default): ``` add_filter('wpbaseline_sanitize_json_uploads', '__return_true'); ``` To enable Lottie uploads: ``` add_filter('wpbaseline_enable_lottie_uploads', '__return_true'); ``` To disable Lottie validation: ``` add_filter('wpbaseline_validate_lottie_uploads', '__return_false'); ``` To customize Lottie file size limit (default: 10MB): ``` add_filter('wpbaseline_lottie_max_file_size', function() { return 5 * 1024 * 1024; // 5MB }); ``` ### Duplicate Post [](#duplicate-post) Adds a "Duplicate" action to post and page row actions, allowing users to quickly create copies of existing content. Duplicated posts are created as drafts and include all content, meta fields, and taxonomies. The feature is enabled by default for all post types. To customize or disable: ``` // Disable duplicate post functionality entirely add_filter('wp_baseline_duplicate_post_config', function($config) { $config['enabled'] = false; return $config; }); // Limit to specific post types add_filter('wp_baseline_duplicate_post_config', function($config) { $config['post_types'] = ['post', 'page', 'product']; return $config; }); // Disable for specific post types add_filter('wp_baseline_duplicate_post_config', function($config) { // Get all public post types $post_types = get_post_types(['public' => true]); // Remove the ones you don't want unset($post_types['attachment']); $config['post_types'] = array_keys($post_types); return $config; }); ``` When a post is duplicated: - The new post is created as a draft with "(Copy)" appended to the title - All custom fields and meta data are copied - All taxonomies (categories, tags, etc.) are preserved - The user stays on the posts list with a success message - A link to edit the duplicate is provided in the success notice Disclaimer ---------- [](#disclaimer) This software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software. Use of this library is at your own risk. The authors and contributors of this project are not responsible for any damage to your website or any loss of data that may result from the use of this library. While we strive to keep this library up-to-date and secure, we make no guarantees about its performance, reliability, or suitability for any particular purpose. Users are advised to thoroughly test the library in a safe environment before deploying it to a live site. By using this library, you acknowledge that you have read this disclaimer and agree to its terms. ### Health Score 37 — LowBetter than 83% of packages Maintenance66 Regular maintenance activity Popularity12 Limited adoption so far Community8 Small or concentrated contributor base Maturity52 Maturing project, gaining track record Bus Factor1 Top contributor holds 95.2% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~50 days Recently: every ~56 days Total 12 Last Release 67d ago Major Versions V1.2.0 → v2.0.02024-10-24 v2.2.1 → 3.0.02025-07-13 PHP version history (2 changes)v1.1.0PHP >=8.1 v3.2.3PHP >=8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/4ea760d2fc869dfda680e0bd6dce422606e91d6a1687938a8ebc38a0c29ca343?d=identicon)[dannorthern](/maintainers/dannorthern) --- Top Contributors [![dannorthern](https://avatars.githubusercontent.com/u/157666970?v=4)](https://github.com/dannorthern "dannorthern (80 commits)")[![actions-user](https://avatars.githubusercontent.com/u/65916846?v=4)](https://github.com/actions-user "actions-user (4 commits)") --- Tags composercomposer-librarycomposer-packagecore-functionalitywordpress ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/builtnorth-wp-baseline/health.svg) ``` [![Health](https://phpackages.com/badges/builtnorth-wp-baseline/health.svg)](https://phpackages.com/packages/builtnorth-wp-baseline) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)