PHPackages enlivenapp/pubvana - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. enlivenapp/pubvana ActiveProject enlivenapp/pubvana ================== Pubvana CMS v2 — a modern blogging and content management system built on CodeIgniter 4 and Shield. v2.3.5(1mo ago)204018MITPHPPHP ^8.2CI failing Since Mar 22Pushed 1mo ago5 watchersCompare [ Source](https://github.com/enlivenapp/pubvana)[ Packagist](https://packagist.org/packages/enlivenapp/pubvana)[ Docs](https://github.com/enlivenapp/pubvana)[ RSS](/packages/enlivenapp-pubvana/feed)WikiDiscussions master Synced yesterday READMEChangelog (10)Dependencies (30)Versions (31)Used By (0) Pubvana ======= [](#pubvana) [![License: MIT](https://camo.githubusercontent.com/8bb50fd2278f18fc326bf71f6e88ca8f884f72f179d3e555e20ed30157190d0d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d677265656e2e737667)](LICENSE)[![Release](https://camo.githubusercontent.com/73587e5b63ed733c4c75f69d647fad8fb5790b10e6653ce9a3d3fc060847ac82/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f72656c656173652d76322e332e352d626c7565)](https://github.com/enlivenapp/pubvana/releases)[![PHP](https://camo.githubusercontent.com/0f16581d1180dbfd4c0e13166ec1267d4ad2f2fab8281ea6d6b284cf5c65d921/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d626c75652e737667)](https://www.php.net)[![CodeIgniter](https://camo.githubusercontent.com/1ac9addae485e508aa98350b6f247138e570260ef951b3b34a990af610f3f57a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f646549676e697465722d342e372d6f72616e67652e737667)](https://codeigniter.com)[![Installs](https://camo.githubusercontent.com/8633b53725210610164eefa2a7e87a307c0e7805930142d2f02e1bad8a21c885/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f656e6c6976656e6170702f70756276616e612e737667)](https://packagist.org/packages/enlivenapp/pubvana)[![Stars](https://camo.githubusercontent.com/eef0f1d99d6aff5d651a508cdb5c890d179a82c3ae9a2f9afdca15d01bb3cfbc/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f656e6c6976656e6170702f70756276616e613f7374796c653d666c6174)](https://github.com/enlivenapp/pubvana/stargazers)[![Contributions Welcome](https://camo.githubusercontent.com/382079383bf5ec051cfa878df7b3d9a70a5f5052e573c67033d4d3f7e376a6d4/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f636f6e747269627574696f6e732d77656c636f6d652d627269676874677265656e2e737667)](https://github.com/enlivenapp/pubvana/issues) ### Blogging and Small Business CMS [](#blogging-and-small-business-cms) Pubvana v2 is a full rewrite of Pubvana v1.x built on CodeIgniter 4, Authentication with Shield, a modern admin UI, dual content editors, theme, plugin & widget system, built-in marketplace, and many new features. We aim for Pubvana to be lean and fast without the bloat of other CMS and Blog software available. These instructions are for users comfortable with the command line and terminal. If you'd prefer a streamlined, no command line experience, [Download from GitHib](https://github.com/enlivenapp/Pubvana-Web-Installer) or [Pubvana.net](https://pubvana.net). ### For Developers [](#for-developers) Developers looking to build themes or widgets for Pubvana can find everything they need in these guides: - **[ThemeBuilder.md](BuilderDocs/ThemeBuilder.md)** — Complete theme development guide - **[WidgetBuilder.md](BuilderDocs/WidgetBuilder.md)** — Complete widget development guide - **[PluginBuilder.md](BuilderDocs/PluginBuilder.md)** — Complete plugin development guide - **[ThirdPartyAddons.md](BuilderDocs/ThirdPartyAddons.md)** — Third-party addon distribution, licensing, and API protocol - **[CssClassReference.md](BuilderDocs/CssClassReference.md)** — Complete `cls_*` CSS class variable reference Installation ------------ [](#installation) ### 1. Prerequisites [](#1-prerequisites) Before installing, make sure you have: - PHP 8.2+ with required extensions (see Requirements below) - Composer (getcomposer.org) - MySQL 5.7+ or MariaDB 10.3+ - A web server (Apache with mod\_rewrite, or Nginx) Create an empty MySQL database and a user with full privileges on it. You'll need the database name, username, and password for the next steps. ### 2. Download [](#2-download) **For Production** : for site owners deploying Pubvana as is: Navigate to the directory you wish to use for the project root. ``` cd ~/public_html/ ``` Install Pubvana from Packagist. (Note the '.' to install into your current directory) ``` composer create-project enlivenapp/pubvana . ``` **For Development** : for contributors who want to run tests, build additional features and work on the codebase: ``` git clone https://github.com/enlivenapp/pubvana.git cd pubvana composer install ``` The remaining steps apply to production and development environments. ### 3. Configure [](#3-configure) Open the sample environment file in a text editor or Vim/Nano: ``` Edit these lines at a minimum: (uncomment (remove #)) CI_ENVIRONMENT = production # or development app.baseURL = 'https://your-domain.com/' database.default.hostname = localhost database.default.database = your_database_name database.default.username = your_database_user database.default.password = your_database_password Set CI_ENVIRONMENT to production for a live site or development for local work. Leaving this commented defaults to the production environment ``` Save this file as `.env` ### 4. Initialize [](#4-initialize) On the command line run these commands separately. ``` php spark key:generate php spark migrate --all php spark db:seed DatabaseSeeder ``` Then create your admin user: ``` php spark shield:user create -n yourusername -e you@example.com php spark shield:user password -e you@example.com php spark shield:user addgroup -e you@example.com -g superadmin ``` The first command creates the account, the second prompts you to set a password, and the third assigns the superadmin role. ### 5. Web Server [](#5-web-server) Point your web server to the `public/` folder either by editing your available sites in Apache, or Nginx config. if you use Apache or Litespeed, your site should be available at `https://your-server/path-to-pubvana` with the provided ,htaccess files. You should see the homepage of your new website. ### 6. Log In [](#6-log-in) Visit `https://your-server/login` and sign in with the admin credentials you created in step 4. ### 7. File and Directory Structure [](#7-file-and-directory-structure) Your web host serves files from the directory where `index.php` lives [Detailed Information](https://codeigniter.com/user_guide/installation/running.html#hosting-with-apache). Pubvana uses the default CodeIgniter `~DOC_ROOT/public/` setup and attempts to forward traffic to `/public/index.php` with clean URLs. To increase security or if an `.htaccess` won't be honored (Nginx), you can change where these files reside on the server or edit your Nginx config file. Check the link above for detailed information how to move core files outside the web root, `index.php` into the root folder `public_html` on shared servers. ### 8. Theme Assets and Media [](#8-theme-assets-and-media) **Theme Assets and Media:** Theme assets and media uploads are stored inside the web server's document root automatically. No symlinks are needed. Visit **Admin → Themes** to ensure theme assets are published. Quick troubleshooting: If `writable/sessions`, `writable/cache`, and `writable/logs` are not writable by the web user, CodeIgniter will give the `white screen of death` when the environment is set to production. You may find the exact reason in the web server's logs (not CodeIgniter's). If you're having significant trouble diagnosing the issue, set `CI_ENVIRONMENT = development` temporarily in your `.env` file which will show the debug bar and (likely) the exception causing the issue. [CodeIgniter Doc - Running Your App](https://codeigniter.com/user_guide/installation/running.html#) | [CodeIgniter Troubleshooting](https://codeigniter.com/user_guide/installation/troubleshooting.html) CLI Commands ------------ [](#cli-commands) CommandDescription`php spark cron minute`Run per-minute tasks (publish scheduled posts, plugin minute crons)`php spark cron quarterday`Run 4x/day tasks (plugin quarterday crons)`php spark cron daily`Run daily tasks (auto-update, broken link check, license revalidation, plugin daily crons)`php spark wp:import `Import posts/pages/tags from a WordPress WXR export file`php spark posts:publish`Publish scheduled posts (also called by `cron minute`)`php spark links:check`Scan all published posts and pages for broken external links`php spark marketplace:revalidate`Re-validate installed premium item licences against pubvana.net`php spark pubvana:update [--dry-run]`Check for and apply Pubvana core updates### Cron Jobs [](#cron-jobs) Pubvana uses a unified `cron` command with three frequencies. Add these to your crontab: ``` * * * * * /path/to/php /path/to/pubvana/spark cron minute >> /dev/null 2>&1 0 */6 * * * /path/to/php /path/to/pubvana/spark cron quarterday >> /dev/null 2>&1 0 3 * * * /path/to/php /path/to/pubvana/spark cron daily >> /dev/null 2>&1 ``` Often it's easier to create Crons in your web control panel (CPanel/DirectAdmin). To help: - `* * * * *` are the time slots - `/path/to/php /path/to/pubvana/spark cron minute` is the command to run - `>> /dev/null 2>&1` discards output — your control panel may have its own options for this Active plugins can register their own cron commands under any frequency via `plugin_info.json` — they run automatically when the matching `cron` frequency fires. --- Requirements ------------ [](#requirements) - PHP 8.2+ - MySQL 5.7+ / MariaDB 10.3+ - Composer (highly recommended) - Apache `mod_rewrite` (or Nginx equivalent) - PHP extensions: `intl`, `mbstring`, `json`, `mysqlnd`, `gd`, `zip` Stack (v2) ---------- [](#stack-v2) LayerTechnologyFrameworkCodeIgniter 4.7+AuthenticationCodeIgniter Shield 1.3+Admin UISB Admin 2 (Bootstrap 4 + jQuery)Public Default themeBootstrap 5 + Font Awesome 6HTML editorSummernoteMarkdown editorEasyMDEFeatures (v2) ------------- [](#features-v2) - Posts & Pages with draft/published/scheduled workflow - Dual content editor — WYSIWYG HTML or Markdown, selectable per post - Theme system with sandboxed .tpl engine, widget areas, theme options, and framework-agnostic widgets - 8 built-in widgets with drag-and-drop area management - Configurable front page — blog index or any static page - Marketplace — browse and install free themes & widgets (live API + cache + mock fallback) - Role-based access — superadmin, admin, editor, author, subscriber - Media library with auto-generated thumbnails - Navigation manager with drag-and-drop reordering - Comment moderation — approve, spam, or trash - SEO — per-post meta, sitemap.xml, RSS feed, Google Analytics - 301/302 redirect manager - Social links manager - Author profiles with bio cards on posts - Social OAuth login (Google, Facebook) - Social auto-share on publish (Twitter, Facebook) - WP importer (admin UI + `php spark wp:import` CLI) - Post revision history with one-click restore Security -------- [](#security) ### Reporting a Vulnerability [](#reporting-a-vulnerability) Please **do not** open a public issue for security vulnerabilities. Email security reports to ****. We aim to respond within 48 hours and will credit reporters in the changelog. ### hCaptcha (Spam Protection) [](#hcaptcha-spam-protection) Pubvana uses [hCaptcha](https://www.hcaptcha.com) (privacy-respecting) to protect comment forms and the contact form from spam bots. hCaptcha is free for most sites. **Setup:** 1. Sign up at [hcaptcha.com](https://www.hcaptcha.com) (free) 2. Create a new site and copy the site key and secret key 3. Add to your setting in the Admin Panel: ``` HCAPTCHA_SITE_KEY = your-site-key HCAPTCHA_SECRET_KEY = your-secret-key ``` If these keys are not set, hCaptcha is silently skipped — safe for local development. Once configured, the widget appears automatically on the comment form and contact page. --- ### Production Hardening Checklist [](#production-hardening-checklist) Before deploying to a public server: - Set `CI_ENVIRONMENT = production` in `.env` — disables stack traces and debug output - Use a strong password for your admin account - Set `app.baseURL` to your actual domain in `.env` - Set `app.forceGlobalSecureRequests = true` in `app/Config/App.php` to enforce HTTPS and send HSTS headers - Enable CSP: set `app.CSPEnabled = true` in `app/Config/App.php` and configure a policy appropriate to your theme - Note, this is often tricky to get right. - Verify your web server's DocumentRoot points to `public/` if possible, this keeps `writable/` (sessions, cache, logs) outside the web root automatically - Ensure `.env` has permissions `600` and is not committed to version control - Run `php spark key:generate` once per installation — do not reuse encryption keys across sites ### Content Security Note [](#content-security-note) Post, page, and widget content is stored and rendered as raw HTML. This is intentional — administrators are trusted to write HTML directly. If your site allows editors or authors to submit HTML content, consider adding server-side HTML sanitization (e.g. [HTML Purifier](http://htmlpurifier.org/)) to your post-save pipeline before rendering untrusted content. ### Security Fixes Log [](#security-fixes-log) VersionFix2.2.3DB dump escaping fixed: replaced `escapeLikeString()` with `escape()` — old method could corrupt or expose data in backup SQL dumps2.2.2Theme and widget sandboxing: custom `.tpl` template engine with whitelisted filters and tag functions replaces raw PHP execution. No PHP files permitted in theme or widget directories — themes and widgets are pure `.tpl` templates + JSON manifests. PHP validation warnings shown in admin if violations detected. Eliminates arbitrary code execution via uploaded or modified themes/widgets.2.2.2CSRF fields exposed to theme templates; comment form uses proper CSRF tag2.2.0Honeypot spam protection re-enabled on comment and contact form POST routes; field name changed from `honeypot` to `website_url` to reduce bot evasion2.0.4Permissions overhaul: explicit `can()` checks on 14 admin controllers2.0.4Login-gated comments with rate limiting (5 per user per 10 minutes)2.0.4hCaptcha spam protection on comment and contact forms2.0.4Revisions: authors restricted to own post revisions only2.0.4Delete remember tokens on user ban to prevent cookie re-auth2.0.4Site owner protected from modification/deletion by non-owners2.0.2Marketplace ZIP installs: download URL restricted to `pubvana.net`; ZIP entries checked for path traversal2.0.2WordPress importer: switched to `LIBXML_NONET` to block XXE network fetches2.0.2User profile IDOR: `profile` and `saveProfile` now verify ownership or `users.manage` permission2.0.2Theme options: `options` and `saveOptions` now require `admin.themes` permission2.0.2Navigation: `store`, `delete`, `reorder` now require `admin.navigation` permission2.0.2Settings `.env` writer: key whitelist prevents arbitrary env key injection2.0.2Post list status filter validated against whitelist before use in query2.0.2Comment `parent_id` validated against same post to prevent cross-post injection2.0.2RSS feed: `]]>` escaped inside CDATA sections2.0.2WordPress import: 50 MB file size limit to prevent DoS via XML parse--- Bug Reports & Feature Requests ---------------------------------- [](#bug-reports--feature-requests) Please use the [Issues Tracker](https://github.com/enlivenapp/pubvana/issues). Links ----- [](#links) [pubvana.net](https://pubvana.net) — Home & Addon Store (Themes, Widgets, Plugins and easy installer) [User Docs](https://pubvana.net/pvdocs) [Facebook Page](https://www.facebook.com/pubvana.net) License ------- [](#license) Pubvana is released under the MIT Open Source License. Contributors ------------ [](#contributors) - Enliven Applications Translations ------------ [](#translations) *Translators Wanted!* Pubvana ships with 24 languages: English (source), Spanish (Latin American), French, Indonesian, Portuguese, and Slovak. French, Slovak, Indonesian, Bulgarian (bg), Bengali (bn), Czech (cs), German (de), Hindi (hi), Italian (it), Japanese (ja), Korean (ko), Lithuanian (lt), Dutch (nl), Polish (pl), Brazilian Portuguese (pt-BR), Russian (ru), Serbian (sr), Swedish (sv-SE), Turkish (tr), Ukrainian (uk), Chinese Simplified (zh) and Portuguese are partially or fully AI-translated and need verification from native speakers. If you would like to help verify or add translations, please fork this repo and send a PR. Many Thanks to the folks who've provided translation. It is very apprciated. - French — [Paul DUBOT](https://github.com/keeganpa), [Léonard GAURIAU](https://github.com/leoDisjonct), [Clément TRASSOUDAINE](https://github.com/intv0id), [Jean-Baptiste VALLADEAU](https://github.com/ignamarte), [Rhagngahr](https://github.com/Rhagngahr) - Indonesian — [Suhindra](https://github.com/suhindra) - Portuguese — [Samuel Fontebasso](https://github.com/fontebasso) - Slovak — Kristián Feldsam Roadmap / Todo -------------- [](#roadmap--todo) ### Pubvana Core [](#pubvana-core) **Built-in Widgets** - Recent Posts - Tag Cloud - Categories List - Archive List - Search Form - Social Links - Text Block - Recent Comments - Table of Contents - Related Posts **Platform Features** - Author Profiles & Bio Card - Social OAuth Login (Google, Facebook) - Social Auto-Share on Publish (Twitter, Facebook) - Marketplace API with cache + refresh - WordPress Importer (admin UI + `php spark wp:import` CLI) - Post Revision History - Maintenance Mode toggle - Core update notifications + `php spark pubvana:update` CLI - Content Preview Links (shareable draft URLs) - Bulk Post Actions (publish / unpublish / delete many) - Schema.org Markup (Article, BreadcrumbList, Author JSON-LD) - Image WebP Auto-Convert on Upload - Multi-language Support (22 languages, admin enable/disable, `{locale}` URL routing, `lang()` throughout views) - Honeypot Spam Protection (CI4 built-in filter on comment + contact forms) - Atom 1.0 Feed (`/atom` alongside existing RSS) - Links Manager / Blogroll (display a curated list of external links via widget) - Scheduled Post Queue (calendar view) - Content Analytics (page views, popular posts, referrers) - Advanced SEO (OG image generation, schema breadcrumbs, news sitemap) - Two-Factor Authentication (TOTP) - Backup & Export (DB + uploads zip) - Membership / Paywalled Posts - Affiliate Link Manager (`/go/` short links + click tracking) - Broken Link Checker - Activity / Audit Log - Author Bio widget - Ad Unit / Custom HTML widget - Social Follow Buttons widget **Todo** - Email Notifications / Subscriptions (subscribe to new posts, email verification, unsubscribe) **Premium Widgets** *(pubvana.net/store)* - Reading Progress Bar - Countdown Timer - Google Calendar & Maps - YouTube Channel Feed ( 1 video/widget) **Premium Plugins** *(pubvana.net/store)* - PvDocs - Documentation for User & Dev facing docs - Digital E-commerce (products, cart, checkout, orders) - Physical goods store (w/ drop shipping and delivery integration) - Enhanced Search (AJAX live preview) - Tip Jar / Per-post donations - Email Opt-in / Lead Capture - Gallery (masonry + lightbox) - Google Calendar & Maps - YouTube Channel Feed (fully searchable integration) ### Health Score 58 — FairBetter than 98% of packages Maintenance94 Actively maintained with recent releases Popularity24 Limited adoption so far Community12 Small or concentrated contributor base Maturity86 Battle-tested with a long release history Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~101 days Recently: every ~0 days Total 30 Last Release 32d ago Major Versions 1.0.5 → v2.0.02026-02-23 PHP version history (2 changes)1.0.0PHP ^5.4 || ^7.0 v2.0.0PHP ^8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/fa73f32a0e94dd540ddda8ba82c8f4168a158b73844e37efd6393d5d5f937b49?d=identicon)[enlivenapp](/maintainers/enlivenapp) --- Top Contributors [![enlivenapp](https://avatars.githubusercontent.com/u/3036663?v=4)](https://github.com/enlivenapp "enlivenapp (170 commits)") --- Tags cmsblogcodeigniter4shield ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/enlivenapp-pubvana/health.svg) ``` [![Health](https://phpackages.com/badges/enlivenapp-pubvana/health.svg)](https://phpackages.com/packages/enlivenapp-pubvana) ``` ### Alternatives [microweber/microweber New generation CMS with drag and drop 3.4k13.8k1](/packages/microweber-microweber)[roots/wordpress WordPress is open source software you can use to create a beautiful website, blog, or app. 19116.9M258](/packages/roots-wordpress)[forkcms/forkcms Fork is an open source CMS that will rock your world. 1.2k44.5k](/packages/forkcms-forkcms)[roots/wordpress-no-content WordPress is open source software you can use to create a beautiful website, blog, or app. 1812.6M30](/packages/roots-wordpress-no-content)[jamesedmonston/graphql-authentication GraphQL authentication for your headless Craft CMS applications. 2917.0k](/packages/jamesedmonston-graphql-authentication) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)