inc/wpsetup.inc

wpinstall() {
    if [ ! -f /usr/bin/wp ]; then
      cecho "------------------------------------------------------------" $boldgreen
      cecho "Installing wpcli.sh" $boldyellow
      cecho "------------------------------------------------------------" $boldgreen
      if [ -d "${SCRIPT_DIR}/addons" ]; then
        cd ${SCRIPT_DIR}/addons      
      fi
      chmod +x wpcli.sh
      ./wpcli.sh install
    else
      cecho "------------------------------------------------------------" $boldgreen
      cecho "Update wp-cli tool" $boldyellow
      cecho "------------------------------------------------------------" $boldgreen
      if [ -d "${SCRIPT_DIR}/addons" ]; then
        cd ${SCRIPT_DIR}/addons      
      fi
      chmod +x wpcli.sh
      ./wpcli.sh update
    fi
}

installredisserver() {
  if [[ "$(ps -C redis-server | grep redis-server >/dev/null 2>&1; echo $?)" != '0' ]]; then
    echo
    echo "Install & Setup Redis Server from REMI YUM Repo"
    echo
    yum -y install redis --enablerepo=remi --disableplugin=priorities
    chkconfig redis on
    if [[ -z "$(grep '^vm.overcommit_memory' /etc/sysctl.conf)" ]]; then
      echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
      sysctl -p
    fi
    if [ -f /etc/redis.conf ]; then
      if [[ -z "$(grep '^maxmemory 111mb' /etc/redis.conf)" ]]; then
        echo "maxmemory 111mb" >> /etc/redis.conf
        grep '^maxmemory 111mb' /etc/redis.conf
        fi
      if [[ -z "$(grep '^maxmemory-policy allkeys-lru' /etc/redis.conf)" ]]; then
        echo "maxmemory-policy allkeys-lru" >> /etc/redis.conf
        grep '^maxmemory-policy allkeys-lru' /etc/redis.conf
      fi
      if [[ -z "$(grep '^maxmemory-samples 10' /etc/redis.conf)" ]]; then
        echo "maxmemory-samples 10" >> /etc/redis.conf
        grep '^maxmemory-samples 10' /etc/redis.conf
      fi
    fi
    service redis restart
    echo
    echo "Redis server installed with config file at /etc/redis.conf"
    echo
  fi
}

dbsetup() {
  SALT=$(/usr/bin/openssl rand -base64 14 | tr -dc 'a-zA-Z0-9')
  DBN=$RANDOM
  DBNB=$RANDOM
  DBNC=$RANDOM
  DBND=$RANDOM
  DBNE=$RANDOM
  DB="wp${DBNE}${DBN}db_${DBND}"
  DBUSER="wpdb${DBND}u${DBNB}"
  DBPASS="wpdb${SALT}p${DBNC}"
  mysqladmin create $DB
  mysql -e "CREATE USER $DBUSER@'localhost' IDENTIFIED BY '$DBPASS';"
  mysql -e "GRANT index, select, insert, delete, update, create, drop, alter, create temporary tables, execute, lock tables, create view, show view, create routine, alter routine, trigger ON ${DB}.* TO ${DBUSER}@'localhost'; FLUSH PRIVILEGES;"
}

wpinfo_notice() {
cecho "---------------------------------------------------------------" $boldyellow
cecho "Important Information" $boldgreen
cecho "---------------------------------------------------------------" $boldyellow
echo
echo "You are about to create an Wordpress based Nginx vhost site with"
echo "or without HTTPS/SSL support."
echo "Also read the continually updated Getting Started Guide"
echo "at centminmod.com/getstarted.html if you haven't already"
cecho "---------------------------------------------------------------" $boldyellow
echo "403 Permission denied message handling"
echo "if after vhost site setup you encounter 403 permission denied errors,"
echo "check https://community.centminmod.com/threads/11215/ to see if your"
echo "site needs tools/autoprotect.sh tweaking & whitelisting"
cecho "---------------------------------------------------------------" $boldyellow
if [[ "$LETSENCRYPT_DETECT" != [yY] ]]; then
echo "[ LETSENCRYPT_DETECT is not enabled ]"
echo "Ignore this message if you do not want HTTPS based web site otherwise"
echo "read below carefully."
echo
echo "Free letsencrypt SSL certificates integration is in beta testing if"
echo "you want to obtain free letsencrypt SSL certificate for HTTPS site,"
echo "you will need to manually enable LETSENCRYPT_DETECT='y' outlined"
echo "at https://centminmod.com/acmetool so exit this vhost routine first"
echo "set LETSENCRYPT_DETECT='y' and update domain DNS A record first"
echo "then re-run vhost site creation menu option"
cecho "---------------------------------------------------------------" $boldyellow
fi
# check mysql server is running
mysqladmin -s ping >/dev/null 2>&1
CHECKMYSQL_PING=$?
if [[ "$CHECKMYSQL_PING" -ne '0' ]]; then
  echo
  echo "!!  Error: MariaDB MySQL Server is not running  !!"
  echo "Please make sure MariaDB MySQL Server is running first"
  echo "aborting centmin.sh menu option 22 run..."
  exit
fi
echo
read -ep "Do you want to continue with Nginx vhost site creation ? [y/n] " dovhost_continue
echo

if [[ "$dovhost_continue" != [yY] ]]; then
  echo "aborting Wordpress + Nginx vhost setup..."
  exit
fi
}

sslvhost() {

cecho "---------------------------------------------------------------" $boldyellow
cecho "SSL Vhost Setup..." $boldgreen
cecho "---------------------------------------------------------------" $boldyellow
echo ""

if [[ "$(nginx -V 2>&1 | grep -Eo 'with-http_v2_module')" = 'with-http_v2_module' ]] && [[ "$(nginx -V 2>&1 | grep -Eo 'with-http_spdy_module')" = 'with-http_spdy_module' ]]; then
  HTTPTWO=y
  LISTENOPT='ssl spdy http2'
  COMP_HEADER='spdy_headers_comp 5'
  SPDY_HEADER='add_header Alternate-Protocol  443:npn-spdy/3;'
  # removed in nginx 1.19.7+
  # http://hg.nginx.org/nginx/rev/827202ca1269
  # http://hg.nginx.org/nginx/rev/f790816a0e87
  #HTTPTWO_MAXFIELDSIZE='http2_max_field_size 16k;'
  #HTTPTWO_MAXHEADERSIZE='http2_max_header_size 32k;'
  #HTTPTWO_MAXREQUESTS='http2_max_requests 50000;'
elif [[ "$(nginx -V 2>&1 | grep -Eo 'with-http_v2_module')" = 'with-http_v2_module' ]]; then
  HTTPTWO=y
  if [[ "$(grep -rn listen /usr/local/nginx/conf/conf.d/*.conf | grep -v '#' | grep 443 | grep ' ssl' | grep ' http2' | grep -o reuseport )" != 'reuseport' ]]; then
    # check if reuseport is supported for listen 443 port - only needs to be added once globally for all nginx vhosts
    NGXVHOST_CHECKREUSEPORT=$(grep --color -Ro SO_REUSEPORT /usr/src/kernels/* | head -n1 | awk -F ":" '{print $2}')
    if [[ "$NGXVHOST_CHECKREUSEPORT" = 'SO_REUSEPORT' ]]; then
      ADD_REUSEPORT=' reuseport'
    else
      ADD_REUSEPORT=""
    fi
    LISTENOPT="ssl http2${ADD_REUSEPORT}"
  else
    LISTENOPT='ssl http2'
  fi
  COMP_HEADER='#spdy_headers_comp 5'
  SPDY_HEADER='#add_header Alternate-Protocol  443:npn-spdy/3;'
  # removed in nginx 1.19.7+
  # http://hg.nginx.org/nginx/rev/827202ca1269
  # http://hg.nginx.org/nginx/rev/f790816a0e87
  #HTTPTWO_MAXFIELDSIZE='http2_max_field_size 16k;'
  #HTTPTWO_MAXHEADERSIZE='http2_max_header_size 32k;'
  #HTTPTWO_MAXREQUESTS='http2_max_requests 50000;'
else
  HTTPTWO=y
  LISTENOPT='ssl http2'
  COMP_HEADER='#spdy_headers_comp 5'
  SPDY_HEADER='#add_header Alternate-Protocol  443:npn-spdy/3;'
fi

if [ ! -f /usr/local/nginx/conf/ssl ]; then
  mkdir -p /usr/local/nginx/conf/ssl
fi

if [ ! -d /usr/local/nginx/conf/ssl/${vhostname} ]; then
  mkdir -p /usr/local/nginx/conf/ssl/${vhostname}
fi

# cloudflare authenticated origin pull cert
# setup https://community.centminmod.com/threads/13847/
if [ ! -d /usr/local/nginx/conf/ssl/cloudflare/${vhostname} ]; then
  mkdir -p /usr/local/nginx/conf/ssl/cloudflare/${vhostname}
  wget${ipv_forceopt_wget} $CLOUDFLARE_AUTHORIGINPULLCERT -O /usr/local/nginx/conf/ssl/cloudflare/${vhostname}/origin.crt
elif [ -d /usr/local/nginx/conf/ssl/cloudflare/${vhostname} ]; then
  wget${ipv_forceopt_wget} $CLOUDFLARE_AUTHORIGINPULLCERT -O /usr/local/nginx/conf/ssl/cloudflare/${vhostname}/origin.crt
fi

if [ ! -f /usr/local/nginx/conf/ssl_include.conf ]; then
cat > "/usr/local/nginx/conf/ssl_include.conf"<<EVS
ssl_session_cache      shared:SSL:10m;
ssl_session_timeout    60m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  
EVS
fi

cd /usr/local/nginx/conf/ssl/${vhostname}

cecho "---------------------------------------------------------------" $boldyellow
cecho "Generating self signed SSL certificate..." $boldgreen
cecho "CSR file can also be used to be submitted for paid SSL certificates" $boldgreen
cecho "If using for paid SSL certificates be sure to keep both private key and CSR safe" $boldgreen
cecho "creating CSR File: ${vhostname}.csr" $boldgreen
cecho "creating private key: ${vhostname}.key" $boldgreen
cecho "creating self-signed SSL certificate: ${vhostname}.crt" $boldgreen
sleep 9

if [[ -z "$SELFSIGNEDSSL_O" ]]; then
  SELFSIGNEDSSL_O="$vhostname"
else
  SELFSIGNEDSSL_O="$SELFSIGNEDSSL_O"
fi

if [[ -z "$SELFSIGNEDSSL_OU" ]]; then
  SELFSIGNEDSSL_OU="$vhostname"
else
  SELFSIGNEDSSL_OU="$SELFSIGNEDSSL_OU"
fi

if [[ "$SELFSIGNEDSSL_ECDSA" = [yY] ]]; then
  # self-signed ssl cert with SANs for ECDSA
cat > /tmp/reqecc.cnf <<EOF
[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt = no
[req_distinguished_name]
C = ${SELFSIGNEDSSL_C}
ST = ${SELFSIGNEDSSL_ST}
L = ${SELFSIGNEDSSL_L}
O = ${vhostname}
OU = ${vhostname}
CN = ${vhostname}
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${vhostname}
DNS.2 = www.${vhostname}
EOF

cat > /tmp/v3extecc.cnf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${vhostname}
DNS.2 = www.${vhostname}
EOF

  openssl ecparam -out ${vhostname}.key -name prime256v1 -genkey
  openssl req -new -sha256 -key ${vhostname}.key -nodes -out ${vhostname}.csr -config /tmp/reqecc.cnf
  openssl x509 -req -days 36500 -sha256 -in ${vhostname}.csr -signkey ${vhostname}.key -out ${vhostname}.crt -extfile /tmp/v3extecc.cnf
  openssl x509 -noout -text < ${vhostname}.crt

  rm -f /tmp/reqecc.cnf
  rm -f /tmp/v3extecc.cnf
else
  # self-signed ssl cert with SANs
cat > /tmp/req.cnf <<EOF
[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt = no
[req_distinguished_name]
C = ${SELFSIGNEDSSL_C}
ST = ${SELFSIGNEDSSL_ST}
L = ${SELFSIGNEDSSL_L}
O = ${vhostname}
OU = ${vhostname}
CN = ${vhostname}
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${vhostname}
DNS.2 = www.${vhostname}
EOF

cat > /tmp/v3ext.cnf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${vhostname}
DNS.2 = www.${vhostname}
EOF
  echo
  cat /tmp/req.cnf
  echo
  cat /tmp/v3ext.cnf
  echo
  openssl req -new -newkey rsa:2048 -sha256 -nodes -out ${vhostname}.csr -keyout ${vhostname}.key -config /tmp/req.cnf
  # openssl req -new -newkey rsa:2048 -sha256 -nodes -out ${vhostname}.csr -keyout ${vhostname}.key -subj "/C=${SELFSIGNEDSSL_C}/ST=${SELFSIGNEDSSL_ST}/L=${SELFSIGNEDSSL_L}/O=${vhostname}/OU=${vhostname}/CN=${vhostname}"
  openssl req -noout -text -in ${vhostname}.csr | grep DNS
  openssl x509 -req -days 36500 -sha256 -in ${vhostname}.csr -signkey ${vhostname}.key -out ${vhostname}.crt -extfile /tmp/v3ext.cnf
  # openssl req -x509 -nodes -days 36500 -sha256 -newkey rsa:2048 -keyout ${vhostname}.key -out ${vhostname}.crt -config /tmp/req.cnf
  
  rm -f /tmp/req.cnf
  rm -f /tmp/v3ext.cnf
fi


if [[ ! -f "$(find /usr/local/nginx/conf/ssl -type f -name "dhparam.pem" | head -n1)" ]]; then
  echo
  cecho "---------------------------------------------------------------" $boldyellow
  cecho "Generating dhparam.pem file - can take a few minutes..." $boldgreen 
  dhparamstarttime=$(TZ=UTC date +%s.%N) 
  openssl dhparam -out dhparam.pem 2048
  dhparamendtime=$(TZ=UTC date +%s.%N)
  DHPARAMTIME=$(echo "$dhparamendtime-$dhparamstarttime"|bc)
  cecho "dhparam file generation time: $DHPARAMTIME" $boldyellow
else
  echo
  cecho "---------------------------------------------------------------" $boldyellow
  cecho "Copy/setup dhparam.pem file..." $boldgreen
  cp -a "$(find /usr/local/nginx/conf/ssl -type f -name "dhparam.pem" | head -n1)" .
fi

}

wpacctsetup() {
PUREUSER=nginx
PUREGROUP=nginx
    if [ "$SECOND_IP" ]; then
      CNIP="$SECOND_IP"
    else
      CNIP=$(curl -${ipv_forceopt}s https://ipinfo.io/ip)
    fi
pureftpinstall

# Support secondary dedicated IP configuration for centmin mod
# nginx vhost generator, so out of the box, new nginx vhosts 
# generated will use the defined SECOND_IP=111.222.333.444 where
# the IP is a secondary IP addressed added to the server.
# You define SECOND_IP variable is centmin mod persistent config
# file outlined at https://centminmod.com/upgrade.html#persistent
# you manually creat the file at /etc/centminmod/custom_config.inc
# and add SECOND_IP=yoursecondary_IPaddress variable to it which
# will be registered with nginx vhost generator routine so that 
# any new nginx vhosts created via centmin.sh menu option 2 or
# /usr/bin/nv or centmin.sh menu option 22, will have pre-defined
# SECOND_IP ip address set in the nginx vhost's listen directive
if [[ -z "$SECOND_IP" ]]; then
  DEDI_IP=""
  DEDI_LISTEN=""
elif [[ "$SECOND_IP" ]]; then
  DEDI_IP=$(echo $(echo ${SECOND_IP}:))
  DEDI_LISTEN="listen   ${DEDI_IP}80;"
fi

wpinstall
  WPSALT=$(/usr/bin/openssl rand -base64 21 | tr -dc 'a-zA-Z0-9')
  WPSALTB=$(/usr/bin/openssl rand -base64 14 | tr -dc 'a-zA-Z0-9')
  WPN=$RANDOM
  WPNB=$RANDOM
  WPADMINUSER="z${WPSALT}wp${WPNB}"
  WPADMINUSER=$(echo $WPADMINUSER | sed -e 's|\/||g' -e 's|\+||g')
  WPADMINPASS="z${WPSALTB}wps${WPN}"
  WPADMINPASS=$(echo $WPADMINPASS | sed -e 's|\/||g' -e 's|\+||g')
 
if [ ! -d /root/tools ]; then
  mkdir -p /root/tools
fi

echo
cecho "-------------------------------------------------------------" $boldyellow
cecho "Setup full Nginx vhost + Wordpress + WP Plugins" $boldgreen
cecho "-------------------------------------------------------------" $boldyellow
echo

wpinfo_notice

read -ep "Enter vhost domain name you want to add (without www. prefix): " vhostname

   # if checkidn_vhost = 0 then internationalized domain name
   checkidn_vhost=$(echo $vhostname | idn | grep '^xn--' >/dev/null 2>&1; echo $?)
   if [[ "$checkidn_vhost" = '0' ]]; then
     vhostname=$(echo $vhostname | idn)
   fi

# check to make sure you don't add a domain name vhost that matches
# your server main hostname setup in server_name within main hostname
# nginx vhost at /usr/local/nginx/conf/conf.d/virtual.conf
if [ -f /usr/local/nginx/conf/conf.d/virtual.conf ]; then
  CHECK_MAINHOSTNAME=$(awk '/server_name/ {print $2}' /usr/local/nginx/conf/conf.d/virtual.conf | sed -e 's|;||')
  if [[ "${CHECK_MAINHOSTNAME}" = "${vhostname}" ]]; then
    echo
    echo " Error: $vhostname is already setup for server main hostname"
    echo " at /usr/local/nginx/conf/conf.d/virtual.conf"
    echo " It is important that main server hostname be setup correctly"
    echo
    echo " As per Getting Started Guide Step 1 centminmod.com/getstarted.html"
    echo " The server main hostname needs to be unique. So please setup"
    echo " the main server name vhost properly first as per Step 1 of guide."
    echo
    echo " Aborting nginx vhost creation..."
    echo
    exit 1
  fi
fi

TESTVHOST=$(echo $vhostname | grep '\/')
while [[ "$TESTVHOST" ]]; do
  echo "!! only domain.com or subdomain.domain.com supported !!"
  echo "   subdirectory is not supported right now"
  read -ep "re-enter vhost domain name you want to add (without www. prefix): " vhostname
  TESTVHOST=$(echo $vhostname | grep '\/')
  echo
done


if [[ "$NGINX_VHOSTSSL" = [yY] ]]; then
  echo
  read -ep "Create a self-signed SSL certificate Nginx vhost? [y/n]: " vhostssl
  if [[ -f "${SCRIPT_DIR}/addons/acmetool.sh" && "$LETSENCRYPT_DETECT" = [yY] ]]; then
    read -ep "Get Letsencrypt SSL certificate Nginx vhost? [y/n]: " vhostssl_le
    if [[ "$vhostssl_le" = [yY] ]]; then
      echo
      echo "You have 4 options: "
      echo "1. issue staging test cert with HTTP + HTTPS (untrusted)"
      echo "2. issue staging test cert with HTTPS default (untrusted)"
      echo "3. issue live cert with HTTP + HTTPS (trusted)"
      echo "4. issue live cert with HTTPS default (trusted)"
      read -ep "Enter option number 1-4: " vhostssl_opt
      if [[ "$vhostssl_opt" = '1' ]]; then
        vhostssl='le'
      elif [[ "$vhostssl_opt" = '2' ]]; then
        vhostssl='led'
        wpcli_ssldefault=1
      elif [[ "$vhostssl_opt" = '3' ]]; then
        vhostssl='lelive'
      elif [[ "$vhostssl_opt" = '4' ]]; then
        vhostssl='lelived'
        wpcli_ssldefault=1
      else
        vhostssl=invalidopt
      fi
      echo
      if [[ "$vhostssl_opt" -eq '2' || "$vhostssl_opt" -eq '4' ]] && [[ "$ISCF_ACHECK" = 'Cloudflare' || "$ISCF_ACHECK" = 'cloudflare' ]]; then
        echo "If using Cloudflare in front of site, disable CF option for"
        echo "Always Use HTTPS in CF Dashboard Crypto Tab as Nginx will do"
        echo "the non-https to https redirect on this end and not require"
        echo "Cloudflare's Always Use HTTPS. If enabled it will cause the"
        echo "error message: too many redirects"
        echo
        echo "Also change Cloudflare Flexible SSL to Full SSL non-strict mode"
        echo
        sleep 1
      fi
    fi # vhostssl_le
  fi
fi

if [[ "$vhostssl" = 'invalidopt' ]]; then
  echo
  echo "error: you entered invalid option = $vhostssl_opt"
  echo "aborting run..."
  exit 1
fi

echo "Theme Setup: "
read -ep "Install CyberChimps Responsive Theme (cyberchimps.com/responsive-theme/) [y/n]: " -i n responsivetheme

echo
echo "Wordpress Setup: "
echo
echo "Not a fan of Gutenberg Editor ? You can switch to Classic Editor"
echo "If you run into Gutenberg Editor issues, you can later switch to"
echo "the Classic Editor https://wordpress.org/plugins/classic-editor/"
read -ep "Install Classic Editor Wordpress Plugin ? [y/n]: " -i y wpclassic_editor

echo
echo "Autoptimize WP Plugin is installed by default. Do you want to install"
echo "companion Autoptimize Gzip Plugin to precompresses js/css optimized files"
echo "details at https://community.centminmod.com/threads/15314/"
read -ep "Install Autoptimize Gzip Companion Wordpress Plugin ? [y/n]: " -i y wpautoptimize_gzip

if [[ "$wpautoptimize_gzip" = [yY] ]]; then
  WP_AUTOPTIMIZE_GZIP='y'
fi

echo
echo "Google Native LazyLoad Plugin https://wordpress.org/plugins/native-lazyload/"
read -ep "Install Google Native LazyLoad Plugin ? [y/n]: " -i y wp_google_lazyload

echo
read -ep "Set custom WP Admin Display Name ? [y/n]: " setdisplayname
if [[ "$setdisplayname" = [yY] ]]; then
  read -ep "Enter Custom WP Admin Display Name: " displayname
  WPADMIN_DISPLAYNAME=$displayname
fi
read -ep "Install Wordpress in subdirectory /blog ? [y/n]: " wpsubdirinstall

if [[ "$wpsubdirinstall" = [yY] ]]; then
  SUBDIR_INSTALL=y
  read -ep "Enter subdirectory name i.e. /blog enter = blog ? : " wpsubdir_value
  WPSUBDIR="/$wpsubdir_value"
  SUBDIR_INCLUDE="include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf;"
  NONSUBDIR_INCLUDE=""
elif [[ "$wpsubdirinstall" != [yY] ]]; then
  SUBDIR_INSTALL=n
  WPSUBDIR=""
  SUBDIR_INCLUDE=""
  NONSUBDIR_INCLUDE="include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf;"
fi

read -ep "Disable Auto Generated WP Admin Username / Password ? [y/n]: " disableautogen
read -ep "Disable wp-login.php password protection ? (less security) [y/n]: " disablepwdprotect

if [[ "$disableautogen" = [yY] ]]; then
  if [ ! -f /usr/sbin/cracklib-check ]; then
    yum -y -q install cracklib
  fi
  echo
  cecho "--------------------------" $boldgreen
  cecho "!! Security Note !!" $boldyellow
  cecho "--------------------------" $boldgreen
  cecho "Please choose a stronger Username/Password Combination" $boldyellow
  echo
  read -ep "Enter desired WP Admin Username: " WPADMINUSER
  read -ep "Enter desired WP Admin Password: " WPADMINPASS

  CHECKWPADMINPASSWD="$(cracklib-check <<<"$WPADMINPASS")"
  okay="$(awk -F': ' '{ print $2}' <<<"$CHECKWPADMINPASSWD")"
  while [[ "$okay" != "OK" ]]; do
    cecho "!! password strength not strong enough !! " $boldyellow
    cecho "!! do not use common dictionary words !! " $boldyellow
    cecho "!! do not use short passwords !! " $boldyellow
    cecho "!! do not use simplistic passwords !! " $boldyellow
    echo
    read -ep "Re-Enter desired WP Admin Password: " WPADMINPASS
    CHECKWPADMINPASSWD="$(cracklib-check <<<"$WPADMINPASS")"
    okay="$(awk -F': ' '{ print $2}' <<<"$CHECKWPADMINPASSWD")"
  done
fi

read -ep "Enter email address for Admin User for Wordpress Installation: " WPADMINEMAIL

# check if nginx server is compiled with default redis nginx modules, 
# otherwise hide redis cache option if nginx server is missing 
# required redis related nginx modules
CHECKFOR_REDISMODULES=$(nginx -V 2>&1 | egrep -o 'ngx_http_redis|redis2-nginx-module|ngx_cache_purge|set-misc-nginx-module' | xargs)
if [[ "$(echo $CHECKFOR_REDISMODULES | grep -o 'ngx_cache_purge')" = 'ngx_cache_purge' ]] && [[ "$(echo $CHECKFOR_REDISMODULES | grep -o 'set-misc-nginx-module')" = 'set-misc-nginx-module' ]] && [[ "$(echo $CHECKFOR_REDISMODULES | grep -o 'redis2-nginx-module')" = 'redis2-nginx-module' ]] && [[ "$(echo $CHECKFOR_REDISMODULES | grep -o 'ngx_http_redis')" = 'ngx_http_redis' ]]; then
  redis_ngx_exists='y'
else
  redis_ngx_exists='n'
fi

echo
cecho "Default is to install KeyCDN WP Cache Enabler Plugin" $boldyellow
cecho "as it's more stable and reliable than WP Super Cache." $boldyellow
if [[ "$redis_ngx_exists" = [yY] ]]; then
  cecho "Redis cache may have issues with caching due to long 6hr cache TTL" $boldyellow
else
  cecho "!! Redis cache not available - no redis nginx modules detected !!" $boldyellow
fi
cecho "You can select which caching method to use below:" $boldyellow
echo

cecho "--------------------------------------------------------" $boldyellow
cecho "        Wordpress Caching               " $boldgreen
cecho "--------------------------------------------------------" $boldyellow
if [[ "$WP_FASTCGI_CACHE" = [yY] ]]; then
  if [[ "$redis_ngx_exists" = [yY] ]]; then
PS3='--------------------------------------------------------
Enter option [ 1 - 4 ] '
select_wpcache_opts=("KeyCDN Cache Enabler" "Redis Nginx Level Caching" "Wordpress Super Cache" "Fastcgi_cache (PHP-FPM)")
  else
PS3='--------------------------------------------------------
Enter option [ 1 - 3 ] '
select_wpcache_opts=("KeyCDN Cache Enabler" "Wordpress Super Cache" "Fastcgi_cache (PHP-FPM)")
  fi
elif [[ "$redis_ngx_exists" = [yY] ]]; then
PS3='--------------------------------------------------------
Enter option [ 1 - 3 ] '
select_wpcache_opts=("KeyCDN Cache Enabler" "Redis Nginx Level Caching" "Wordpress Super Cache")
else
PS3='--------------------------------------------------------
Enter option [ 1 - 2 ] '
select_wpcache_opts=("KeyCDN Cache Enabler" "Wordpress Super Cache")
fi
select optwp in "${select_wpcache_opts[@]}"; do
case $optwp in
  "KeyCDN Cache Enabler" )
    wpscache='n'
    wpcache_option=$REPLY
    echo
    echo "you selected option $wpcache_option (KeyCDN Cache Enabler) [wpscache=$wpscache]"
    echo
    break
    ;;
  "Redis Nginx Level Caching" )
    wpscache='redis'
    wpcache_option=$REPLY
    echo
    echo "you selected option $wpcache_option (Redis Nginx Level Cache) [wpscache=$wpscache]"
    echo
    break
    ;;
  "Wordpress Super Cache" )
    wpscache='y'
    wpcache_option=$REPLY
    echo
    echo "you selected option $wpcache_option (Wordpress Super Cache) [wpscache=$wpscache]"
    echo
    break
    ;;
  "Fastcgi_cache (PHP-FPM)" )
    if [[ "$redis_ngx_exists" = [yY] && "$WP_FASTCGI_CACHE" = [yY] ]]; then
      wpscache='fastcgicache'
    elif [[ "$redis_ngx_exists" = [nN] && "$WP_FASTCGI_CACHE" = [yY] ]]; then
      wpscache='fastcgicache'
    else
      wpscache='n'  
    fi
    wpcache_option=$REPLY
    echo
    echo "you selected option $wpcache_option (Fastcgi_cache PHP-FPM) [wpscache=$wpscache]"
    echo
    break
    ;;
  * )
    echo
    if [[ "$WP_FASTCGI_CACHE" = [yY] ]]; then
      if [[ "$redis_ngx_exists" = [yY] ]]; then
        echo "Valid options are 1 - 4"
      else
        echo "Valid options are 1 - 3"
      fi
    elif [[ "$redis_ngx_exists" = [yY] ]]; then
      echo "Valid options are 1 - 3"
    else
      echo "Valid options are 1 - 2"
    fi
    echo
    ;;
esac
done

TESTEMAIL=$(echo "${WPADMINEMAIL}" |  grep '^[a-zA-Z0-9._%+-]*@[a-zA-Z0-9-]*[\.[a-zA-Z0-9]*]*[a-zA-Z0-9]$')
# echo "$TESTEMAIL"
while [[ "$TESTEMAIL" = "" ]]; do
  echo
  echo "!! make sure email address is valid and typed correctly !!"
  read -ep "Enter email address for Wordpress Installation: " WPADMINEMAIL
  TESTEMAIL=$(echo "${WPADMINEMAIL}" |  grep '^[a-zA-Z0-9._%+-]*@[a-zA-Z0-9-]*[\.[a-zA-Z0-9]*]*[a-zA-Z0-9]$')
  echo
done

if [[ "$PUREFTPD_DISABLED" = [nN] ]]; then
  if [ ! -f /usr/sbin/cracklib-check ]; then
    yum -y -q install cracklib
  fi
  if [ ! -f /usr/bin/pwgen ]; then
    yum -y -q install pwgen
  fi  
  read -ep "Create FTP username for vhost domain (enter username): " ftpuser
  read -ep "Do you want to auto generate FTP password (recommended) [y/n]: " autogenpass

  if [[ "$autogenpass" = [yY] ]]; then
    ftppass=$(pwgen -1cnys 27)
  else
    read -ep "Create FTP password for $ftpuser (enter password): " ftppass
  
    # simple password strength check
    # utilise http://cracklib.sourceforge.net/ too
    CHECKPASSWD="$(cracklib-check <<<"$ftppass")"
    okay="$(awk -F': ' '{ print $2}' <<<"$CHECKPASSWD")"
    while [[ "$okay" != "OK" ]]; do
      echo "!! password strength not strong enough !! "
      echo "!! do not use common dictionary words !! "
      echo "!! do not use short passwords !! "
      echo "!! do not use simplistic passwords !! "
      echo
      read -ep "re-enter FTP password for $ftpuser (enter password): " ftppass
      CHECKPASSWD="$(cracklib-check <<<"$ftppass")"
      okay="$(awk -F': ' '{ print $2}' <<<"$CHECKPASSWD")"
    done
  fi # autogenpass
  echo
  echo "FTP username you entered: $ftpuser"
  if [[ "$autogenpass" = [yY] ]]; then
    echo "FTP password auto generated: $ftppass"
  else
    echo "FTP password you entered: $ftppass"    
  fi
fi

echo ""

if [ ! -d /home/nginx/domains/$vhostname ]; then

dbsetup

# Checking Permissions, making directories, example index.html
umask 027
mkdir -p /home/nginx/domains/$vhostname/{public,private,log,backup}
ngx_logformats
if [[ "$wpsubdirinstall" = [yY] ]]; then
  mkdir -p /home/nginx/domains/$vhostname/public/$wpsubdir_value
fi

if [ ! -f /usr/local/nginx/conf/wpincludes ]; then
  mkdir -p /usr/local/nginx/conf/wpincludes
fi

if [ ! -f "/usr/local/nginx/conf/wpincludes/$vhostname" ]; then
  mkdir -p "/usr/local/nginx/conf/wpincludes/$vhostname"
fi

if [[ "$PUREFTPD_DISABLED" = [nN] ]]; then
  ( echo "${ftppass}" ; echo "${ftppass}" ) | pure-pw useradd "$ftpuser" -u $PUREUSER -g $PUREGROUP -d "/home/nginx/domains/$vhostname"
  pure-pw mkdb
fi

if [[ "$wpsubdirinstall" = [yY] ]]; then
cat > "/home/nginx/domains/$vhostname/public/index.html" <<END
<html>
<head>
<title>$vhostname</title>
</head>
<body>
<p>Welcome to $vhostname. This index.html page can be removed. You have auto installed Wordpress at $vhostname$WPSUBDIR</p>

<p>Useful Centmin Mod info and links to bookmark.</p>

<ul>
  <li>Getting Started Guide - <a href="https://centminmod.com/getstarted.html" target="_blank">https://centminmod.com/getstarted.html</a></li>
  <li>Latest Centmin Mod version - <a href="https://centminmod.com" target="_blank">https://centminmod.com</a></li>
  <li>Centmin Mod FAQ - <a href="https://centminmod.com/faq.html" target="_blank">https://centminmod.com/faq.html</a></li>
  <li>Change Log - <a href="https://centminmod.com/changelog.html" target="_blank">https://centminmod.com/changelog.html</a></li>
  <li>Google+ Page latest news <a href="https://centminmod.com/gpage" target="_blank">https://centminmod.com/gpage</a></li>
  <li>Centmin Mod Community Forum <a href="https://community.centminmod.com/" target="_blank">https://community.centminmod.com/</a></li>
  <li>Centmin Mod Twitter <a href="https://twitter.com/centminmod" target="_blank">https://twitter.com/centminmod</a></li>
  <li>Centmin Mod Facebook Page <a href="https://www.facebook.com/centminmodcom" target="_blank">https://www.facebook.com/centminmodcom</a></li>
</ul>

<p><a href="https://www.digitalocean.com/?refcode=c1cb367108e8" target="_blank">Cheap VPS Hosting at Digitalocean</a></p>

</body>
</html>
END
fi

    cp -R $CUR_DIR/htdocs/custom_errorpages/* /home/nginx/domains/$vhostname/public
umask 022
chown -R nginx:nginx "/home/nginx/domains/$vhostname"
find "/home/nginx/domains/$vhostname" -type d -exec chmod g+s {} \;

if [[ "$disablepwdprotect" != [yY] ]]; then
  # wp-login.php password protection
  if [[ -f /usr/local/nginx/conf/htpasswd.sh && ! -f /home/nginx/domains/$vhostname/htpasswd_wplogin ]]; then
    HTWPLOGINSALT=$(/usr/bin/openssl rand -base64 16 | tr -dc 'a-zA-Z0-9')
    HTWPLOGINSALTB=$(/usr/bin/openssl rand -base64 23 | tr -dc 'a-zA-Z0-9')
    HTWPLOGIN=$RANDOM
    HTWPLOGINB=$RANDOM
    HTUSER="u${HTWPLOGINSALT}x${HTWPLOGIN}"
    HTUSER=$(echo $HTUSER | sed -e 's|\/||g')
    HTPASS="p${HTWPLOGINSALTB}y${HTWPLOGIN}"
    HTPASS=$(echo $HTPASS | sed -e 's|\/||g')
    echo "/usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhostname/htpasswd_wplogin $HTUSER $HTPASS"
    /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhostname/htpasswd_wplogin $HTUSER $HTPASS
  fi
fi

# rate limit setup
WPRATECHECK=$(grep 'zone=xwplogin' /usr/local/nginx/conf/nginx.conf)
WPRATERPCCHECK=$(grep 'zone=xwprpc' /usr/local/nginx/conf/nginx.conf)

if [[ -z "$WPRATERPCCHECK" ]]; then
  sed -i 's/http {/http { \nlimit_req_zone $binary_remote_addr zone=xwprpc:10m rate=30r\/s;\n/g' /usr/local/nginx/conf/nginx.conf
fi

if [[ -z "$WPRATECHECK" ]]; then
  sed -i 's/http {/http { \nlimit_req_zone $binary_remote_addr zone=xwplogin:10m rate=40r\/m;\n/g' /usr/local/nginx/conf/nginx.conf
fi

################################################################################
# create wp super cache's included php config file php-wpsc.conf
\cp -f /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php-wpsc.conf
sed -i "s|fastcgi_param  SERVER_NAME        \$server_name;|fastcgi_param  SERVER_NAME        \$http_host;|" /usr/local/nginx/conf/php-wpsc.conf

################################################################################
# create wp enable enabler included files https://community.centminmod.com/posts/21220/

cat > "/usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf"<<HFA
    # Block nginx-help log from public viewing
    location ~* /wp-content/uploads/nginx-helper/ { deny all; }

    set \$cache_uri \$request_uri;

    # exclude mobile devices from redis caching
    if (\$cmwpcache_device = mobile) { set \$cache_uri 'nullcache'; }

    # bypass cache if POST requests or URLs with a query string
    if (\$request_method = POST) {
        set \$cache_uri 'nullcache';
    }
    if (\$query_string != "") {
        set \$cache_uri 'nullcache';
    }

    # include query strings fbclid, gclid, utm in cache via stripping them with
    # 302 redirect via mapping in /usr/local/nginx/conf/wpcacheenabler_map.conf
    if (\$q_ignorearg) {
      set \$check_qurl \$request_uri;
      set \$check_surl \$request_uri;
      set \$cache_uri \$uri;
      #rewrite ^ \$uri? redirect;
    }
    add_header Check-Querystring-Uri "\$check_qurl";
    #add_header Q-Ignore-Arg "\$q_ignorearg";

    # bypass cache if URLs containing the following strings
    if (\$request_uri ~* "(\?add-to-cart=|\?wc-ajax=|\?wc-api=|/cart/|/my-account/|/checkout/|/shop/checkout/|/wp-json/|/store/checkout/|/customer-dashboard/|/addons/|/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
        set \$cache_uri 'nullcache';
    }

    # bypass cache if the cookies containing the following strings
    if (\$http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in|wc-api|edd_items_in_cart|woocommerce_items_in_cart|woocommerce_cart_hash|woocommerce_recently_viewed|wc_session_cookie_HASH|wp_woocommerce_session_|wptouch_switch_toggle") {
        set \$cache_uri 'nullcache';
    }

    # bypass cache for woocommerce
    if (\$arg_add-to-cart != "") { set \$cache_uri 'nullcache'; }
    if (\$arg_wc-api != "") { set \$cache_uri 'nullcache'; }

    ## bypass cache for empty woocommerce carts
    #if (\$cookie_woocommerce_items_in_cart != "0") { 
    #  set \$cache_uri 'nullcache';
    #}

    # custom sub directory e.g. /blog
    set \$custom_subdir '${WPSUBDIR}';
    #if (\$args ~* s=(.*)) {
    #  set \$cache_uri \$request_uri;
    #  set \$check_surl \$cache_uri;
    #  set \$cache_uri /search/\$1;
    #}
    #add_header Check-Uri "\$check_surl";
    #add_header Set-Uri "\$cache_uri";

    # default html file
    set \$cache_enabler_uri '\${custom_subdir}/wp-content/cache/cache-enabler/\${http_host}\${cache_uri}\${scheme}-index.html';

    # webp html file
    if (\$http_accept ~* "image/webp") {
        set \$cache_enabler_uri_webp '\${custom_subdir}/wp-content/cache/cache-enabler/\${http_host}\${cache_uri}\${scheme}-index-webp.html';
    }

    #if (-f \$document_root\$cache_enabler_uri) {
    #set \$cttls "120s";
    #}
    #expires \$cttls;
HFA

cat > "/usr/local/nginx/conf/wpcacheenabler_map.conf"<<HFB
map \$http_user_agent \$cmwpcache_device {
    default                                     'desktop';
    ~*(iPad|iPhone|Android|IEMobile|Blackberry) 'mobile';
    "~*Firefox.*Mobile"                         'mobile';
    "~*ipod.*mobile"                            'mobile';
    "~*Opera\ Mini"                             'mobile';
    "~*Opera\ Mobile"                           'mobile';
    "~*Mobile"                                  'mobile';
    "~*Tablet"                                  'mobile';
    "~*Kindle"                                  'mobile';
    "~*Windows\ Phone"                          'mobile';
}

map \$args \$q_ignorearg {
  default               0;
  "~*fbclid"            1;
  "~*gclid"             1;
  "~*utm"               1;
  "~*fb_action_ids"     1;
  "~*fb_action_types"   1;
  "~*fb_source"         1;
  "~*age-verified"      1;
  "~*ao_noptimize"      1;
  "~*usqp"              1;
  "~*cn-reloaded"       1;
  "~*_ga"               1;
  "~*_ke"               1;
  "~*mc_cid"            1;
  "~*mc_eid"            1;
  "~*ref"               1;
}
HFB

WPCACHEENABLERMAP_INCLUDECHECK=$(grep '\/usr\/local\/nginx\/conf\/wpcacheenabler_map.conf' /usr/local/nginx/conf/nginx.conf)
  if [[ -z "$WPCACHEENABLERMAP_INCLUDECHECK" ]]; then
    echo
    echo "include file /usr/local/nginx/conf/wpcacheenabler_map.conf add to nginx.conf"
      sed -i 's|\/usr\/local\/nginx\/conf\/fastcgi_param_https_map.conf;|\/usr\/local\/nginx\/conf\/fastcgi_param_https_map.conf;\ninclude \/usr\/local\/nginx\/conf\/wpcacheenabler_map.conf;|g' /usr/local/nginx/conf/nginx.conf
  fi

################################################################################
# create nginx level redis cache included php config file php-rediscache.conf
# https://community.centminmod.com/posts/18828/
# \cp -f /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php-rediscache.conf

cat > "/usr/local/nginx/conf/php-rediscache.conf"<<HFF
location ~ [^/]\.php(/|\$) {
  include /usr/local/nginx/conf/503include-only.conf;
    fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
    if (!-f \$document_root\$fastcgi_script_name) {
        return 404;
    }

    set \$key "nginx-cache:\$scheme\$request_method\$host\$request_uri";
    srcache_fetch_skip \$skip_cache;
    srcache_store_skip \$skip_cache;
    srcache_response_cache_control off;
    set_escape_uri \$escaped_key \$key;
    srcache_fetch GET /redis-fetch \$key;
    srcache_store PUT /redis-store key=\$escaped_key;
    more_set_headers 'X-Cache \$srcache_fetch_status';
    more_set_headers 'X-Cache-2 \$srcache_store_status';

    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    \$request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=\$document_root/:/usr/local/lib/php/:/tmp/;

# might shave 200+ ms off PHP requests
# which don't pass on a content length header
# slightly faster page response time at the
# expense of throughput / scalability
#sendfile on;
#tcp_nopush off;
#keepalive_requests 0;

fastcgi_connect_timeout 360s;
fastcgi_send_timeout 360s;
fastcgi_read_timeout 360s;
fastcgi_buffer_size 32k;
fastcgi_buffers 512 32k;
fastcgi_busy_buffers_size 1m;
fastcgi_temp_file_write_size 4m;
fastcgi_max_temp_file_size 4m;
fastcgi_intercept_errors off;

# next 3 lines when uncommented / enabled
# allow Nginx to handle uploads which then 
# passes back the completed upload to PHP
#fastcgi_pass_request_body off;
#client_body_in_file_only clean;
#fastcgi_param  REQUEST_BODY_FILE  \$request_body_file;

#new .04+ map method
fastcgi_param HTTPS \$server_https;

# comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
# cgi.fix_pathinfo=0 
# as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1

fastcgi_param  PATH_INFO          \$fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    \$document_root\$fastcgi_path_info;

fastcgi_param  QUERY_STRING       \$query_string;
fastcgi_param  REQUEST_METHOD     \$request_method;
fastcgi_param  CONTENT_TYPE       \$content_type;
fastcgi_param  CONTENT_LENGTH     \$content_length;

fastcgi_param  SCRIPT_NAME        \$fastcgi_script_name;
fastcgi_param  REQUEST_URI        \$request_uri;
fastcgi_param  DOCUMENT_URI       \$document_uri;
fastcgi_param  DOCUMENT_ROOT      \$document_root;
fastcgi_param  SERVER_PROTOCOL    \$server_protocol;
fastcgi_param  REQUEST_SCHEME     \$scheme;
fastcgi_param  HTTPS              \$https if_not_empty;
fastcgi_param  HTTP_PROXY         "";

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/\$nginx_version;

fastcgi_param  REMOTE_ADDR        \$remote_addr;
fastcgi_param  REMOTE_PORT        \$remote_port;
fastcgi_param  SERVER_ADDR        \$server_addr;
fastcgi_param  SERVER_PORT        \$server_port;
fastcgi_param  SERVER_NAME        \$server_name;

# Set php-fpm geoip variables
fastcgi_param GEOIP_COUNTRY_CODE \$geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 \$geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME \$geoip_country_name;
fastcgi_param GEOIP_CITY_COUNTRY_CODE \$geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 \$geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME \$geoip_city_country_name;
fastcgi_param GEOIP_REGION \$geoip_region;
fastcgi_param GEOIP_CITY \$geoip_city;
fastcgi_param GEOIP_POSTAL_CODE \$geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE \$geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE \$geoip_latitude;
fastcgi_param GEOIP_LONGITUDE \$geoip_longitude;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

                   }
HFF

cat > "/usr/local/nginx/conf/php-rediscache-shortttl.conf"<<HFI
location ~ [^/]\.php(/|\$) {
  include /usr/local/nginx/conf/503include-only.conf;
    fastcgi_split_path_info ^(.+?\.php)(/.*)\$;
    if (!-f \$document_root\$fastcgi_script_name) {
        return 404;
    }

    set \$key "nginx-cache:\$scheme\$request_method\$host\$request_uri";
    srcache_fetch_skip \$skip_cache;
    srcache_store_skip \$skip_cache;
    srcache_response_cache_control off;
    set_escape_uri \$escaped_key \$key;
    srcache_fetch GET /redis-fetch \$key;
    srcache_store PUT /redis-store-shortttl key=\$escaped_key;
    more_set_headers 'X-Cache \$srcache_fetch_status';
    more_set_headers 'X-Cache-2 \$srcache_store_status';

    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    \$request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=\$document_root/:/usr/local/lib/php/:/tmp/;

# might shave 200+ ms off PHP requests
# which don't pass on a content length header
# slightly faster page response time at the
# expense of throughput / scalability
#sendfile on;
#tcp_nopush off;
#keepalive_requests 0;

fastcgi_connect_timeout 360s;
fastcgi_send_timeout 360s;
fastcgi_read_timeout 360s;
fastcgi_buffer_size 32k;
fastcgi_buffers 512 32k;
fastcgi_busy_buffers_size 1m;
fastcgi_temp_file_write_size 4m;
fastcgi_max_temp_file_size 4m;
fastcgi_intercept_errors off;

# next 3 lines when uncommented / enabled
# allow Nginx to handle uploads which then 
# passes back the completed upload to PHP
#fastcgi_pass_request_body off;
#client_body_in_file_only clean;
#fastcgi_param  REQUEST_BODY_FILE  \$request_body_file;

#new .04+ map method
fastcgi_param HTTPS \$server_https;

# comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
# cgi.fix_pathinfo=0 
# as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1

fastcgi_param  PATH_INFO          \$fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    \$document_root\$fastcgi_path_info;

fastcgi_param  QUERY_STRING       \$query_string;
fastcgi_param  REQUEST_METHOD     \$request_method;
fastcgi_param  CONTENT_TYPE       \$content_type;
fastcgi_param  CONTENT_LENGTH     \$content_length;

fastcgi_param  SCRIPT_NAME        \$fastcgi_script_name;
fastcgi_param  REQUEST_URI        \$request_uri;
fastcgi_param  DOCUMENT_URI       \$document_uri;
fastcgi_param  DOCUMENT_ROOT      \$document_root;
fastcgi_param  SERVER_PROTOCOL    \$server_protocol;
fastcgi_param  REQUEST_SCHEME     \$scheme;
fastcgi_param  HTTPS              \$https if_not_empty;
fastcgi_param  HTTP_PROXY         "";

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/\$nginx_version;

fastcgi_param  REMOTE_ADDR        \$remote_addr;
fastcgi_param  REMOTE_PORT        \$remote_port;
fastcgi_param  SERVER_ADDR        \$server_addr;
fastcgi_param  SERVER_PORT        \$server_port;
fastcgi_param  SERVER_NAME        \$server_name;

# Set php-fpm geoip variables
fastcgi_param GEOIP_COUNTRY_CODE \$geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 \$geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME \$geoip_country_name;
fastcgi_param GEOIP_CITY_COUNTRY_CODE \$geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 \$geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME \$geoip_city_country_name;
fastcgi_param GEOIP_REGION \$geoip_region;
fastcgi_param GEOIP_CITY \$geoip_city;
fastcgi_param GEOIP_POSTAL_CODE \$geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE \$geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE \$geoip_latitude;
fastcgi_param GEOIP_LONGITUDE \$geoip_longitude;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

                   }
HFI

################################################################################
# Setting up Nginx mapping

if [[ "$vhostssl" = [yY] ]] || [[ "$vhostssl" = 'le' ]] || [[ "$vhostssl" = 'led' ]] || [[ "$vhostssl" = 'lelive' ]] || [[ "$vhostssl" = 'lelived' ]]; then
  sslvhost
fi

if [[ "$vhostssl" = [yY] ]] || [[ "$vhostssl" = 'le' ]] || [[ "$vhostssl" = 'led' ]] || [[ "$vhostssl" = 'lelive' ]] || [[ "$vhostssl" = 'lelived' ]]; then

  if [ -f "${DIR_TMP}/openssl-${OPENSSL_VERSION}/crypto/chacha20poly1305/chacha20.c" ]; then
      # check /svr-setup/openssl-1.0.2f/crypto/chacha20poly1305/chacha20.c exists
      OPEENSSL_CFPATCHED='y'
  elif [ -f "${DIR_TMP}/openssl-${OPENSSL_VERSION}/crypto/chacha/chacha_enc.c" ]; then
      # for openssl 1.1.0 native chacha20 support
      OPEENSSL_CFPATCHED='y'
  fi

if [[ "$(nginx -V 2>&1 | grep LibreSSL | head -n1)" ]] || [[ "$OPEENSSL_CFPATCHED" = [yY] ]]; then
  if [[ -f "${DIR_TMP}/openssl-${OPENSSL_VERSION}/crypto/chacha20poly1305/chacha20.c" ]]; then
    CHACHACIPHERS='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:'
  elif [[ -f "${DIR_TMP}/openssl-${OPENSSL_VERSION}/crypto/chacha/chacha_enc.c" ]]; then
    CHACHACIPHERS='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:'
  else
    CHACHACIPHERS='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:'
  fi
else
  CHACHACIPHERS=""
fi

if [ -f "${DIR_TMP}/openssl-${OPENSSL_VERSION}/configdata.pm" ]; then
  DETECTOPENSSL_ONEZERO=$(echo $OPENSSL_VERSION  | cut -d . -f1-2)
  DETECTOPENSSL_ONEONE=$(echo $OPENSSL_VERSION  | cut -d . -f1-3 | grep -o 1.1.1)
  if [[ "$DETECTOPENSSL_ONEZERO" = '1.1' ]] || [[ "$DETECTOPENSSL_ONEONE" = '1.1.1' ]]; then
      # openssl 1.1.0 unsupported flag enable-tlsext
      if [[ "$(grep -w 'tls1_3' "${DIR_TMP}/openssl-${OPENSSL_VERSION}/configdata.pm")" ]]; then
          TLSONETHREEOPT=' enable-tls1_3'
          TLSONETHREE_DETECT='y'
      else
          TLSONETHREEOPT=""
          TLSONETHREE_DETECT='n'
      fi
  fi
fi

if [[ "$TLSONETHREE_DETECT" = [yY] ]]; then
  TLSONETHREE_CIPHERS='TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:'
else
  TLSONETHREE_CIPHERS=""
fi

if [[ -f /usr/bin/php74 && -f /usr/bin/php73 && -f /usr/bin/php72 && -f /usr/bin/php71 && -f /usr/bin/php70 && -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php74-remi.conf;
  #include /usr/local/nginx/conf/php73-remi.conf;
  #include /usr/local/nginx/conf/php72-remi.conf;
  #include /usr/local/nginx/conf/php71-remi.conf;
  #include /usr/local/nginx/conf/php70-remi.conf;
  #include /usr/local/nginx/conf/php56-remi.conf;'
elif [[ -f /usr/bin/php74 && -f /usr/bin/php73 && -f /usr/bin/php72 && -f /usr/bin/php71 && ! -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php74-remi.conf;
  #include /usr/local/nginx/conf/php73-remi.conf;
  #include /usr/local/nginx/conf/php72-remi.conf;
  #include /usr/local/nginx/conf/php71-remi.conf;'
elif [[ -f /usr/bin/php74 && -f /usr/bin/php73 && -f /usr/bin/php72 && ! -f /usr/bin/php71 && ! -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php74-remi.conf;
  #include /usr/local/nginx/conf/php73-remi.conf;
  #include /usr/local/nginx/conf/php72-remi.conf;'
elif [[ -f /usr/bin/php74 && -f /usr/bin/php73 && ! -f /usr/bin/php72 && ! -f /usr/bin/php71 && ! -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php74-remi.conf;
  #include /usr/local/nginx/conf/php73-remi.conf;'
elif [[ -f /usr/bin/php73 && -f /usr/bin/php72 && -f /usr/bin/php71 && -f /usr/bin/php70 && -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php73-remi.conf;
  #include /usr/local/nginx/conf/php72-remi.conf;
  #include /usr/local/nginx/conf/php71-remi.conf;
  #include /usr/local/nginx/conf/php70-remi.conf;
  #include /usr/local/nginx/conf/php56-remi.conf;'
elif [[ -f /usr/bin/php72 && -f /usr/bin/php71 && -f /usr/bin/php70 && -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php72-remi.conf;
  #include /usr/local/nginx/conf/php71-remi.conf;
  #include /usr/local/nginx/conf/php70-remi.conf;
  #include /usr/local/nginx/conf/php56-remi.conf;'
elif [[ -f /usr/bin/php71 && -f /usr/bin/php70 && -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php71-remi.conf;
  #include /usr/local/nginx/conf/php70-remi.conf;
  #include /usr/local/nginx/conf/php56-remi.conf;'
elif [[ -f /usr/bin/php71 && -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php71-remi.conf;
  #include /usr/local/nginx/conf/php70-remi.conf;'
elif [[ -f /usr/bin/php71 && ! -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php71-remi.conf;'
elif [[ ! -f /usr/bin/php71 && -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php70-remi.conf;'
elif [[ ! -f /usr/bin/php71 && ! -f /usr/bin/php70 && -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES='#include /usr/local/nginx/conf/php56-remi.conf;'
elif [[ ! -f /usr/bin/php71 && ! -f /usr/bin/php70 && ! -f /usr/bin/php56 ]]; then
  MULTIPHP_INCLUDES=""
fi

if [[ "$VHOST_PRESTATICINC" = [yY] ]]; then
  PRESTATIC_INCLUDES="include /usr/local/nginx/conf/pre-staticfiles-local-${vhostname}.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;"
  touch "/usr/local/nginx/conf/pre-staticfiles-local-${vhostname}.conf"
  touch /usr/local/nginx/conf/pre-staticfiles-global.conf
else
  PRESTATIC_INCLUDES=""
fi

if [[ "$VHOST_CFAUTHORIGINPULL" = [yY] ]]; then
  CFAUTHORIGINPULL_INCLUDES="# cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;
  #ssl_verify_client on;"
else
  CFAUTHORIGINPULL_INCLUDES=""
fi

# main non-ssl vhost at yourdomain.com.conf for Wordpress
cat > "/usr/local/nginx/conf/conf.d/$vhostname.conf"<<ENSS
# Centmin Mod Getting Started Guide
# must read https://centminmod.com/getstarted.html

# redirect from non-www to www 
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   ${DEDI_IP}80;
#            server_name $vhostname;
#            return 301 \$scheme://www.${vhostname}\$request_uri;
#       }

server {
  $DEDI_LISTEN
  server_name $vhostname www.$vhostname;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/$vhostname/log/access.log $NGX_LOGFORMAT buffer=256k flush=5m;
  error_log /home/nginx/domains/$vhostname/log/error.log;

  include /usr/local/nginx/conf/autoprotect/$vhostname/autoprotect-$vhostname.conf;
  root /home/nginx/domains/$vhostname/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf;
  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;  

  location /$wpsubdir_value {
  include /usr/local/nginx/conf/503include-only.conf;
  $SUBDIR_INCLUDE

  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  try_files /wp-content/cache/supercache/\$http_host/\$cache_uri/index.html \$uri \$uri/ ${WPSUBDIR}/index.php?q=\$uri&\$args;

  # for wp cache enabler plugin
  #try_files \$cache_enabler_uri_webp \$cache_enabler_uri \$uri \$uri/ \$custom_subdir/index.php?\$args;

  # Wordpress Permalinks
  #try_files \$uri \$uri/ ${WPSUBDIR}/index.php?q=\$uri&\$args;  

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;

  }

location ~* ${WPSUBDIR}/(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    auth_basic "Private";
    auth_basic_user_file /home/nginx/domains/$vhostname/htpasswd_wplogin;    
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://jetpack.com/support/hosting-faq/
    include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  $NONSUBDIR_INCLUDE
  include /usr/local/nginx/conf/php-wpsc.conf;
  ${MULTIPHP_INCLUDES}
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  ${PRESTATIC_INCLUDES}
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
ENSS

# separate ssl vhost at yourdomain.com.ssl.conf
cat > "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"<<ESS
# Centmin Mod Getting Started Guide
# must read https://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read https://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name ${vhostname} www.${vhostname};
#    return 302 https://\$server_name\$request_uri;
# }

server {
  listen ${DEDI_IP}443 $LISTENOPT;
  server_name $vhostname www.$vhostname;

  ssl_dhparam /usr/local/nginx/conf/ssl/${vhostname}/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  $CFAUTHORIGINPULL_INCLUDES
  $HTTPTWO_MAXFIELDSIZE
  $HTTPTWO_MAXHEADERSIZE
  $HTTPTWO_MAXREQUESTS
  # mozilla recommended
  ssl_ciphers ${TLSONETHREE_CIPHERS}ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:${CHACHACIPHERS}DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  $SPDY_HEADER

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
  $COMP_HEADER;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
  
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-trusted.crt;  

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/$vhostname/log/access.log $NGX_LOGFORMAT buffer=256k flush=5m;
  error_log /home/nginx/domains/$vhostname/log/error.log;

  include /usr/local/nginx/conf/autoprotect/$vhostname/autoprotect-$vhostname.conf;
  root /home/nginx/domains/$vhostname/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf;
  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;  

  location /$wpsubdir_value {
  include /usr/local/nginx/conf/503include-only.conf;
  $SUBDIR_INCLUDE

  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  try_files /wp-content/cache/supercache/\$http_host/\$cache_uri/index.html \$uri \$uri/ ${WPSUBDIR}/index.php?q=\$uri&\$args;

  # for wp cache enabler plugin
  #try_files \$cache_enabler_uri_webp \$cache_enabler_uri \$uri \$uri/ \$custom_subdir/index.php?\$args;  

  # Wordpress Permalinks
  #try_files \$uri \$uri/ ${WPSUBDIR}/index.php?q=\$uri&\$args; 

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;

  }

location ~* ${WPSUBDIR}/(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    auth_basic "Private";
    auth_basic_user_file /home/nginx/domains/$vhostname/htpasswd_wplogin;    
    include /usr/local/nginx/conf/php-wpsc.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://jetpack.com/support/hosting-faq/
    include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  $NONSUBDIR_INCLUDE
  include /usr/local/nginx/conf/php-wpsc.conf;
  ${MULTIPHP_INCLUDES}
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  ${PRESTATIC_INCLUDES}
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
ESS

else

cat > "/usr/local/nginx/conf/conf.d/$vhostname.conf"<<END
# Centmin Mod Getting Started Guide
# must read https://centminmod.com/getstarted.html

# redirect from non-www to www 
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   ${DEDI_IP}80;
#            server_name $vhostname;
#            return 301 \$scheme://www.${vhostname}\$request_uri;
#       }

server {
  $DEDI_LISTEN
  server_name $vhostname www.$vhostname;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/$vhostname/log/access.log $NGX_LOGFORMAT buffer=256k flush=5m;
  error_log /home/nginx/domains/$vhostname/log/error.log;

  include /usr/local/nginx/conf/autoprotect/$vhostname/autoprotect-$vhostname.conf;
  root /home/nginx/domains/$vhostname/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf;
  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;  

  location /$wpsubdir_value {
  include /usr/local/nginx/conf/503include-only.conf;
  $SUBDIR_INCLUDE

  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  try_files /wp-content/cache/supercache/\$http_host/\$cache_uri/index.html \$uri \$uri/ ${WPSUBDIR}/index.php?q=\$uri&\$args;

  # for wp cache enabler plugin
  #try_files \$cache_enabler_uri_webp \$cache_enabler_uri \$uri \$uri/ \$custom_subdir/index.php?\$args;   

  # Wordpress Permalinks
  #try_files \$uri \$uri/ ${WPSUBDIR}/index.php?q=\$uri&\$args; 

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;

  }

location ~* ${WPSUBDIR}/(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    auth_basic "Private";
    auth_basic_user_file /home/nginx/domains/$vhostname/htpasswd_wplogin;  
    include /usr/local/nginx/conf/php-wpsc.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://jetpack.com/support/hosting-faq/
    include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/wp-admin/(load-scripts\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* ${WPSUBDIR}/wp-admin/(load-styles\.php) {
    limit_req zone=xwprpc burst=5 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    ${MULTIPHP_INCLUDES}
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  $NONSUBDIR_INCLUDE
  include /usr/local/nginx/conf/php-wpsc.conf;
  ${MULTIPHP_INCLUDES}
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  ${PRESTATIC_INCLUDES}
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
END

fi

touch "/usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf"

cat > "/usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf" <<EEF
# prevent .zip, .gz, .tar, .bzip2 files from being accessed by default
# impossible for centmin mod to know which wp backup plugins they installed
# which may save backups to directories in wp-content/
# such plugins may deploy .htaccess protection but that isn't supported in
# nginx, so blocking access to these extensions is a workaround to cover all bases

# prepare for letsencrypt 
# https://community.centminmod.com/posts/17774/
location ~ /.well-known {
  location ~ /.well-known/acme-challenge/(.*) {
    more_set_headers    "Content-Type: text/plain";
    }
}

location ~* ${WPSUBDIR}/wp-content/cache/autoptimize/.*\.(js|css)\$ {
  include /usr/local/nginx/conf/php.conf;
  add_header AO-Fallback 1;
  try_files \$uri \$uri/ ${WPSUBDIR}/wp-content/autoptimize_404_handler.php;
  expires 30d;
}

# allow AJAX requests in themes and plugins
location ~ ^${WPSUBDIR}/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }

location ~* ^${WPSUBDIR}/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }

location ~ ^${WPSUBDIR}/wp-content/uploads/sucuri { deny all; }

location ~ ^${WPSUBDIR}/wp-content/updraft { deny all; }

# Block nginx-help log from public viewing
location ~* ${WPSUBDIR}/wp-content/uploads/nginx-helper/ { deny all; }

# WebP extension support if you are converting /uploads images to webp
location ~ ^${WPSUBDIR}/wp-content/uploads/ {
  #pagespeed off;
  #pagespeed unplugged;
  #autoindex on;
  #add_header X-Robots-Tag "noindex, nofollow";
  location ~* ^${WPSUBDIR}/wp-content/uploads/(.+/)?(.+)\.(png|jpe?g)\$ {
    expires 30d;
    #add_header Vary "Accept";
    add_header Cache-Control "public";
    try_files \$uri\$webp_extension \$uri =404;
  }
}

# Whitelist Exception for seo-by-rank-math
location ~ ^${WPSUBDIR}/wp-content/plugins/seo-by-rank-math/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for amp
location ~ ^${WPSUBDIR}/wp-content/plugins/amp/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for async-javascript
location ~ ^${WPSUBDIR}/wp-content/plugins/async-javascript/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for autoptimize
location ~ ^${WPSUBDIR}/wp-content/plugins/autoptimize/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for autoptimize-gzip
location ~ ^${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Security for wp-cloudflare-page-cache debug.log which is exposed to public access
# /wp-content/wp-cloudflare-super-page-cache/yourdomain.com/debug.log
location ~ ^${WPSUBDIR}/wp-content/wp-cloudflare-super-page-cache/${vhostname}/(debug.log)\$ {
  deny all;
}

# Whitelist Exception for wp-cloudflare-page-cache
location ~ ^${WPSUBDIR}/wp-content/plugins/wp-cloudflare-page-cache/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for cloudflare
location ~ ^${WPSUBDIR}/wp-content/plugins/cloudflare/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for post-grid
location ~ ^${WPSUBDIR}/wp-content/plugins/post-grid/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for breadcrumb-navxt
location ~ ^${WPSUBDIR}/wp-content/plugins/breadcrumb-navxt/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

location ~ ^${WPSUBDIR}/(wp-includes/js/tinymce/wp-tinymce.php) {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/onesignal-free-web-push-notifications//
location ~ ^${WPSUBDIR}/wp-content/plugins/onesignal-free-web-push-notifications/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/sparkpost/
location ~ ^${WPSUBDIR}/wp-content/plugins/sparkpost/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/sendgrid-email-delivery-simplified/
location ~ ^${WPSUBDIR}/wp-content/plugins/sendgrid-email-delivery-simplified/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/mailgun/
location ~ ^${WPSUBDIR}/wp-content/plugins/mailgun/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/mailjet-for-wordpress/
location ~ ^${WPSUBDIR}/wp-content/plugins/mailjet-for-wordpress/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/easy-wp-smtp/
location ~ ^${WPSUBDIR}/wp-content/plugins/easy-wp-smtp/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/postman-smtp/
location ~ ^${WPSUBDIR}/wp-content/plugins/postman-smtp/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/sendpress/
location ~ ^${WPSUBDIR}/wp-content/plugins/sendpress/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wp-mail-bank/
location ~ ^${WPSUBDIR}/wp-content/plugins/wp-mail-bank/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/theme-check/
location ~ ^${WPSUBDIR}/wp-content/plugins/theme-check/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/woocommerce/
location ~ ^${WPSUBDIR}/wp-content/plugins/woocommerce/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/woocommerce-csvimport/
location ~ ^${WPSUBDIR}/wp-content/plugins/woocommerce-csvimport/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/advanced-custom-fields/
location ~ ^${WPSUBDIR}/wp-content/plugins/advanced-custom-fields/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/contact-form-7/
location ~ ^${WPSUBDIR}/wp-content/plugins/contact-form-7/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/duplicator/
location ~ ^${WPSUBDIR}/wp-content/plugins/duplicator/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/jetpack/
location ~ ^${WPSUBDIR}/wp-content/plugins/jetpack/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/nextgen-gallery/
location ~ ^${WPSUBDIR}/wp-content/plugins/nextgen-gallery/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/tinymce-advanced/
location ~ ^${WPSUBDIR}/wp-content/plugins/tinymce-advanced/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/updraftplus/
location ~ ^${WPSUBDIR}/wp-content/plugins/updraftplus/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wordpress-importer/
location ~ ^${WPSUBDIR}/wp-content/plugins/wordpress-importer/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wordpress-seo/
location ~ ^${WPSUBDIR}/wp-content/plugins/wordpress-seo/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wpclef/
location ~ ^${WPSUBDIR}/wp-content/plugins/wpclef/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/mailchimp-for-wp/
location ~ ^${WPSUBDIR}/wp-content/plugins/mailchimp-for-wp/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wp-optimize/
location ~ ^${WPSUBDIR}/wp-content/plugins/wp-optimize/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/si-contact-form/
location ~ ^${WPSUBDIR}/wp-content/plugins/si-contact-form/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/akismet/
location ~ ^${WPSUBDIR}/wp-content/plugins/akismet/ {
  location ~ ^${WPSUBDIR}/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)\$ { allow all; expires 30d;}
  location ~ ^${WPSUBDIR}/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)\$ { allow all; expires 30d;}
  location ~* ${WPSUBDIR}/wp-content/plugins/akismet/akismet/.*\.php\$ {
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    # below include file needs to be manually created at that path and to be uncommented
    # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
    # allows you to add commonly shared settings to all wp plugin location matches which
    # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
    #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
    allow 127.0.0.1;
    deny all;
  }
}

# Whitelist Exception for https://wordpress.org/plugins/bbpress/
location ~ ^${WPSUBDIR}/wp-content/plugins/bbpress/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/buddypress/
location ~ ^${WPSUBDIR}/wp-content/plugins/buddypress/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/all-in-one-seo-pack/
location ~ ^${WPSUBDIR}/wp-content/plugins/all-in-one-seo-pack/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/google-analytics-for-wordpress/
location ~ ^${WPSUBDIR}/wp-content/plugins/google-analytics-for-wordpress/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/regenerate-thumbnails/
location ~ ^${WPSUBDIR}/wp-content/plugins/regenerate-thumbnails/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
location ~ ^${WPSUBDIR}/wp-content/plugins/wp-pagenavi/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wordfence/
location ~ ^${WPSUBDIR}/wp-content/plugins/wordfence/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/really-simple-captcha/
location ~ ^${WPSUBDIR}/wp-content/plugins/really-simple-captcha/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
location ~ ^${WPSUBDIR}/wp-content/plugins/wp-pagenavi/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/ml-slider/
location ~ ^${WPSUBDIR}/wp-content/plugins/ml-slider/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/black-studio-tinymce-widget/
location ~ ^${WPSUBDIR}/wp-content/plugins/black-studio-tinymce-widget/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/disable-comments/
location ~ ^${WPSUBDIR}/wp-content/plugins/disable-comments/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for https://wordpress.org/plugins/better-wp-security/
location ~ ^${WPSUBDIR}/wp-content/plugins/better-wp-security/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for http://wlmsocial.com/
location ~ ^${WPSUBDIR}/wp-content/plugins/wlm-social/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for mediagrid timthumb
location ~ ^${WPSUBDIR}/wp-content/plugins/media-grid/classes/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for webp-express
location ~ ^${WPSUBDIR}/wp-content/plugins/webp-express/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Whitelist Exception for wp-shortcode  
location ~ ^${WPSUBDIR}/wp-content/plugins/wp-shortcode/ {
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  # below include file needs to be manually created at that path and to be uncommented
  # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
  # allows you to add commonly shared settings to all wp plugin location matches which
  # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
}

# Block PHP files in content directory.
location ~* ${WPSUBDIR}/wp-content/.*\.php\$ {
  deny all;
}

# Block PHP files in includes directory.
location ~* ${WPSUBDIR}/wp-includes/.*\.php\$ {
  deny all;
}

# Block PHP files in uploads, content, and includes directory.
location ~* ${WPSUBDIR}/(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
  deny all;
}

# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
{
return 444;
}

location ~* \.(tpl)\$
{
  deny all; 
}

#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}

#disallow
location ~* (w00tw00t) {
return 444;
}

location ~* ${WPSUBDIR}/(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }

location ${WPSUBDIR}/wp-content/uploads/wp-personal-data-exports/ {
  location ~ ^${WPSUBDIR}/wp-content/uploads/wp-personal-data-exports/(.+/)?(.+)\.(zip)\$ { allow all; expires 30d; }
}

location ~* ${WPSUBDIR}/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z|txt)\$ { deny all; }
EEF

# WP super cache
cat > "/usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf" <<EFF
set \$cache_uri \$request_uri;

if (\$request_method = POST) { set \$cache_uri 'null cache'; }

if (\$query_string != "") { set \$cache_uri 'null cache'; }

if (\$request_uri ~* "/(\?add-to-cart=|\?wc-ajax=|\?wc-api=|cart/|my-account/|checkout/|shop/checkout/|store/checkout/|wp-json/|customer-dashboard/|addons/|wp-admin/.*|xmlrpc\.php|wp-.*\.php|index\.php|feed/|sitemap(_index)?\.xml|[a-z0-9_-]+-sitemap([0-9]+)?\.xml)") { set \$cache_uri 'null cache'; }

# bypass cache for woocommerce
if ( \$arg_add-to-cart != "" ) { set \$cache_uri 'null cache'; }
if ( \$arg_wc-api != "" ) { set \$cache_uri 'null cache'; }

## bypass cache for empty woocommerce carts
#if ( \$cookie_woocommerce_items_in_cart != "0" ) { set \$cache_uri 'null cache'; }

if (\$http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in|wc-api|edd_items_in_cart|woocommerce_items_in_cart|woocommerce_cart_hash|woocommerce_recently_viewed|wc_session_cookie_HASH|wp_woocommerce_session_|wptouch_switch_toggle") { set \$cache_uri 'null cache'; }
EFF

# for nginx level redis cache
cat > "/usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf" <<XFF
# Block nginx-help log from public viewing
location ~* ${WPSUBDIR}/wp-content/uploads/nginx-helper/ { deny all; }

set \$skip_cache 0;

# exclude mobile devices from redis caching
if (\$redis_device = mobile) { set \$skip_cache 1; }

# POST requests and urls with a query string should always go to PHP
if (\$request_method = POST) {
  set \$skip_cache 1;
}

if (\$query_string != "") {
  set \$skip_cache 1;
}

# Don't cache uris containing the following segments
if (\$request_uri ~* "\?add-to-cart=|\?wc-ajax=|\?wc-api=|/cart/|/my-account/|/checkout/|/shop/checkout/|/wp-json/|/store/checkout/|/customer-dashboard/|/addons/|/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
  set \$skip_cache 1;
}

# Don't use the cache for logged in users or recent commenters
if (\$http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|wc-api|edd_items_in_cart|woocommerce_items_in_cart|woocommerce_cart_hash|woocommerce_recently_viewed|wc_session_cookie_HASH|wp_woocommerce_session_|wptouch_switch_toggle") {
  set \$skip_cache 1;
}

# bypass cache for woocommerce
if (\$arg_add-to-cart != "") { set \$skip_cache 1; }
if (\$arg_wc-api != "") { set \$skip_cache 1; }

## bypass cache for empty woocommerce carts
#if (\$cookie_woocommerce_items_in_cart != "0") { 
#  set \$skip_cache 1;
#}

location /redis-fetch {
  internal  ;
  set  \$redis_key \$args;
  redis_pass  redisbackend;
  redis_connect_timeout 60000;
  redis_read_timeout 60000;
  redis_send_timeout 60000;
}

location /redis-store {
  internal  ;
  set_unescape_uri \$key \$arg_key ;
  redis2_query set \$key \$echo_request_body;
  redis2_query expire \$key 6h;
  redis2_pass  redisbackend;
  redis2_connect_timeout 60s;
  redis2_read_timeout 60s;
  redis2_send_timeout 60s;
}

location /redis-store-shortttl {
  internal  ;
  set_unescape_uri \$key \$arg_key ;
  redis2_query set \$key \$echo_request_body;
  redis2_query expire \$key 3600;
  redis2_pass  redisbackend;
  redis2_connect_timeout 60s;
  redis2_read_timeout 60s;
  redis2_send_timeout 60s;
}
XFF

cat > "/usr/local/nginx/conf/redisupstream.conf" <<GGG
map \$http_user_agent \$redis_device {
    default                                     'desktop';
    ~*(iPad|iPhone|Android|IEMobile|Blackberry) 'mobile';
    "~*Firefox.*Mobile"                         'mobile';
    "~*ipod.*mobile"                            'mobile';
    "~*Opera\ Mini"                             'mobile';
    "~*Opera\ Mobile"                           'mobile';
    "~*Mobile"                                  'mobile';
    "~*Tablet"                                  'mobile';
    "~*Kindle"                                  'mobile';
    "~*Windows\ Phone"                          'mobile';
}

upstream redisbackend {
  zone upstream_redis 64k;
  server 127.0.0.1:6379 weight=1 max_fails=3 fail_timeout=30s;
  #server 127.0.0.1:6380 weight=1 max_fails=3 fail_timeout=30s;
  #server 127.0.0.1:6381 weight=1 max_fails=3 fail_timeout=30s;
  #server 127.0.0.1:6382 weight=1 max_fails=3 fail_timeout=30s;
  #server 127.0.0.1:6383 weight=1 max_fails=3 fail_timeout=30s;
  #server 127.0.0.1:6384 weight=1 max_fails=3 fail_timeout=30s;

  #server 127.0.0.1:6380 backup;
  keepalive 4096;
}
GGG

REDISUPSTREAM_INCLUDECHECK=$(grep '\/usr\/local\/nginx\/conf\/redisupstream.conf' /usr/local/nginx/conf/nginx.conf)
  if [[ -z "$REDISUPSTREAM_INCLUDECHECK" ]]; then
    echo
    echo "include file /usr/local/nginx/conf/redisupstream.conf add to nginx.conf"
      sed -i 's|\/usr\/local\/nginx\/conf\/fastcgi_param_https_map.conf;|\/usr\/local\/nginx\/conf\/fastcgi_param_https_map.conf;\ninclude \/usr\/local\/nginx\/conf\/redisupstream.conf;|g' /usr/local/nginx/conf/nginx.conf
  fi

########### WP Super Cache Start ##############################
# only proceed in creating vhost if VHOSTNAME directory exist
if [[ -d "/home/nginx/domains/${vhostname}/public" ]]; then

  cecho "------------------------------------------------------------" $boldgreen
  if [[ "$wpscache" = [nN] ]]; then
    cacheenabler=y
    cecho "Setup Wordpress + Cache Enabler for $vhostname" $boldyellow
  elif [[ "$wpscache" = [yY] ]]; then
    cecho "Setup Wordpress + Super Cache for $vhostname" $boldyellow
  elif [[ "$wpscache" = 'redis' ]]; then
    cecho "Setup Wordpress + Redis Nginx Level Cache for $vhostname" $boldyellow
    installredisserver
  fi
  cecho "------------------------------------------------------------" $boldgreen

  if [[ "$wpscache" = [nN] || "$wpscache" = 'redis' ]]; then
    echo
    echo "Using full static page caching may cause problems for mobile & tablet device"
    echo "visitors depending on your WP themes used so you may want to exclude those"
    echo
    read -ep "Do you want to exclude mobile/tablet devices from full page caching ? [y/n]: " exclude_mobilecache
    if [[ "$exclude_mobilecache" = [nN] ]]; then
      if [ -f "/usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf" ]; then
        sed -i "s|^    if (\$cmwpcache_device = mobile) { set \$cache_uri 'nullcache'; }|#    if (\$cmwpcache_device = mobile) { set \$cache_uri 'nullcache'; }|" "/usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf"
      fi
      if [ -f "/usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf" ]; then
        sed -i "s|^if (\$redis_device = mobile) { set \$skip_cache 1; }|#if (\$redis_device = mobile) { set \$skip_cache 1; }|" "/usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf"
      fi
    fi
  fi

cd /home/nginx/domains/${vhostname}/public${WPSUBDIR}
 
\wp core download --allow-root
 
\wp core config --dbname=$DB --dbuser=$DBUSER --dbpass=$DBPASS --allow-root
 
NEWPREFIX=$(echo $RANDOM)
sed -i "s/'wp_';/'${NEWPREFIX}_';/g" wp-config.php

sed -i "/define( 'DB_COLLATE', '' );/ a\
/** Enable core updates for minor releases (default) **/\ndefine('DISABLE_WP_CRON', false);\ndefine('WP_AUTO_UPDATE_CORE', 'minor' );\ndefine('WP_POST_REVISIONS', 10 );\ndefine('EMPTY_TRASH_DAYS', 10 );\ndefine('WP_CRON_LOCK_TIMEOUT', 60 );\ndefine('CONCATENATE_SCRIPTS', false);\
" wp-config.php

if [[ -z "$(crontab -l 2>&1 | grep '\/${vhostname}/wp-cron.php')" ]]; then
    # generate random number of seconds to delay cron start
    # making sure they do not run at very same time during cron scheduling
    DELAY=$(echo ${RANDOM:0:3})
    crontab -l > cronjoblist
    mkdir -p /home/nginx/domains/${vhostname}/cronjobs
    cp cronjoblist /home/nginx/domains/${vhostname}/cronjobs/cronjoblist-before-wp-cron.txt
    # only insert cronjob if one doesn't already exist
    if [[ -z $(grep "${vhostname}\/wp-cron.php" cronjoblist) ]]; then
      if [[ "$wpcli_ssldefault" = '1' ]]; then
        echo "#*/15 * * * * sleep ${DELAY}s > /dev/null 2>&1; curl -skD - -H \"Cookie: wordpress_logged_in\" \"https://${vhostname}/wp-cron.php?doing_wp_cron\" -o /dev/null 2>&1" >> cronjoblist
      else
        echo "#*/15 * * * * sleep ${DELAY}s > /dev/null 2>&1; curl -skD - -H \"Cookie: wordpress_logged_in\" \"http://${vhostname}/wp-cron.php?doing_wp_cron\" -o /dev/null 2>&1" >> cronjoblist
      fi
    fi
    cp cronjoblist /home/nginx/domains/${vhostname}/cronjobs/cronjoblist-after-wp-cron.txt
    crontab cronjoblist
    rm -rf cronjoblist
    crontab -l
fi

\wp core install --url=http://${vhostname}${WPSUBDIR} --title=${vhostname} --admin_email=${WPADMINEMAIL} --admin_password=${WPADMINPASS} --admin_name=${WPADMINUSER} --allow-root

# change admin userid from 1 to a random 6 digit number
# WP_PREFIX=$(wp eval 'echo $GLOBALS["table_prefix"];')
WUID=$(echo $RANDOM$RANDOM |cut -c1-6)
# \wp db query "UPDATE ${WP_PREFIX}wp_users SET ID=${WUID} WHERE ID=1; UPDATE ${WP_PREFIX}wp_usermeta SET user_id=${WUID} WHERE user_id=1" --allow-root
\wp db query "UPDATE ${NEWPREFIX}_users SET ID=${WUID} WHERE ID=1; UPDATE ${NEWPREFIX}_usermeta SET user_id=${WUID} WHERE user_id=1" --allow-root

if [[ "$setdisplayname" = [yY] ]]; then
  \wp user update ${WUID} --display_name=${WPADMIN_DISPLAYNAME} --allow-root
fi

# add index on autoload
\wp db query "ALTER TABLE ${NEWPREFIX}_options ADD INDEX autoload_idx (autoload)" --allow-root

# change permalinks out of the box
\wp rewrite structure '/%post_id%/%postname%/' --allow-root

if [[ "$WPCLI_SUPERCACHEPLUGIN" = [yY] && ! -f /root/.wp-cli/commands/super-cache/cli.php ]]; then
  # https://github.com/wp-cli/wp-super-cache-cli.git
  mkdir -p /root/.wp-cli/commands
  time git clone https://github.com/wp-cli/wp-super-cache-cli.git /root/.wp-cli/commands/super-cache
  echo "require:" > /root/.wp-cli/config.yml
  echo "  - commands/super-cache/cli.php" >> /root/.wp-cli/config.yml
elif [ -f /root/.wp-cli/commands/super-cache/cli.php ]; then
  cd /root/.wp-cli/commands/super-cache
  git stash
  git pull
  cd /home/nginx/domains/${vhostname}/public${WPSUBDIR}
fi

if [[ "$responsivetheme" = [yY] ]]; then
  cecho "------------------------------------------------------------" $boldgreen
  \wp theme install responsive --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
fi
 
chown nginx:nginx /home/nginx/domains/${vhostname}/public
chown -R nginx:nginx /home/nginx/domains/${vhostname}/public

cd /home/nginx/domains/${vhostname}/public${WPSUBDIR}

chmod 0770 wp-content
chmod 0400 readme.html
rm -rf readme.html

# installed + activated by default

# install google native lazy load plugin
if [[ "$wp_google_lazyload" = [yY] ]]; then
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install native-lazyload --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
fi

# install classic editor plugin instead of gutenberg
if [[ "$wpclassic_editor" = [yY] ]]; then
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install classic-editor --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
fi

# wp super cache
if [[ "$wpscache" = [yY] ]]; then
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wp-super-cache --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wp-super-cache-clear-cache-menu --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
fi

# wp cache enabler
if [[ "$wpscache" = [nN] ]]; then
  cecho "------------------------------------------------------------" $boldgreen
  if [[ "$CACHE_ENABLER_LEGACY_CACHE" = [yY] ]]; then
    \wp plugin install cache-enabler --version=1.4.9 --force --activate --allow-root
    \wp plugin install block-specific-plugin-updates --activate --allow-root
    if [ "$(\wp option get bpu_update_blocked_plugins --allow-root >/dev/null 2>&1; echo $?)" -ne '0' ]; then
      \wp option update bpu_update_blocked_plugins cache-enabler/cache-enabler.php --allow-root;
    else
      \wp option add bpu_update_blocked_plugins cache-enabler/cache-enabler.php --allow-root;
    fi
  else
    \wp plugin install cache-enabler --activate --allow-root
  fi
  chown nginx:nginx  wp-content/advanced-cache.php
  chown -R nginx:nginx wp-content/plugins/cache-enabler
  cecho "------------------------------------------------------------" $boldgreen 
  # \wp plugin install optimus --activate --allow-root

  # get cache enabler version
  get_ce_version=$(wp plugin get cache-enabler --format=json --allow-root | jq -r '.version' | sed -e 's|\.|00|g')
  if [[ "$get_ce_version" -le '1004009' ]]; then
    echo "configure cache-enabler 1.4.9"
    \wp option update cache-enabler '{"expires":6,"clear_on_upgrade":1,"new_post":1,"new_comment":1,"update_product_stock":0,"webp":0,"compress":1,"excl_ids":"","excl_paths":"","excl_cookies":"","incl_parameters":"","minify_html":0}' --format=json --allow-root
  else
    echo "configure cache-enabler 1.5.1+ or higher"
    \wp option patch update cache_enabler cache_expiry_time '7' --allow-root
    \wp option patch update cache_enabler clear_complete_cache_on_saved_post '1' --allow-root
    \wp option patch update cache_enabler clear_complete_cache_on_new_comment '1' --allow-root
    \wp option patch update cache_enabler clear_complete_cache_on_changed_plugin '1' --allow-root
    \wp option patch update cache_enabler compress_cache '1' --allow-root
  fi
  if [[ "$WPCLI_CE_QUERYSTRING_INCLUDED" = [yY] ]]; then
    if [[ "$get_ce_version" -le '1004009' ]]; then
      \wp option patch update cache-enabler incl_parameters '/^fbclid|epik|klaviyo|ref|mc_(cid|eid)|utm_(source|medium|campaign|term|content|expid)|gclid|fb_(action_ids|action_types|source)|age-verified|ao_noptimize|usqp|cn-reloaded|_ga|_ke$/' --allow-root
      \wp option pluck cache-enabler incl_parameters --format=json --allow-root
    else
      \wp option patch update cache_enabler excluded_query_strings '/^s=.+$/' --allow-root
      \wp option pluck cache_enabler excluded_query_strings --format=json --allow-root
    fi
  fi
  if [ -f /usr/bin/jq ]; then
    if [[ "$get_ce_version" -le '1004009' ]]; then
      \wp option get cache-enabler --format=json --allow-root | jq
    else
      \wp option get cache_enabler --format=json --allow-root | jq
    fi
  else
    if [[ "$get_ce_version" -le '1004009' ]]; then
      \wp option get cache-enabler --format=json --allow-root
    else
      \wp option get cache_enabler --format=json --allow-root
    fi
  fi
  # add define('WP_CACHE', true); to wp-config.php
  if [ ! "$(grep -w 'WP_CACHE' wp-config.php)" ]; then
  sed -i "/define( 'DB_HOST', 'localhost' );/ a\
define('WP_CACHE', true);\
" wp-config.php
  fi
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install autoptimize --activate --allow-root
  # echo "configure autoptimize"
  # \wp option update autoptimize_cache_clean 0 --allow-root
  # \wp option update autoptimize_cdn_url "" --allow-root
  # \wp option update autoptimize_css on --allow-root
  # \wp option update autoptimize_css_aggregate on --allow-root
  # \wp option update autoptimize_css_datauris "" --allow-root
  # \wp option update autoptimize_css_defer "" --allow-root
  # \wp option update autoptimize_css_defer_inline "" --allow-root
  # \wp option update autoptimize_css_exclude "wp-content/cache/, wp-content/uploads/, admin-bar.min.css, dashicons.min.css" --allow-root
  # \wp option update autoptimize_css_include_inline  on --allow-root
  # \wp option update autoptimize_css_inline "" --allow-root
  # \wp option update autoptimize_css_justhead "" --allow-root
  # \wp option update autoptimize_html on --allow-root
  # \wp option update autoptimize_html_keepcomments on --allow-root
  # \wp option update autoptimize_imgopt_launched     on --allow-root
  # \wp option update autoptimize_js on --allow-root
  # \wp option update autoptimize_js_aggregate on --allow-root
  # \wp option update autoptimize_js_exclude  "seal.js, js/jquery/jquery.js" --allow-root
  # \wp option update autoptimize_js_forcehead "" --allow-root
  # \wp option update autoptimize_js_include_inline "" --allow-root
  # \wp option update autoptimize_js_justhead "" --allow-root
  # \wp option update autoptimize_js_trycatch "" --allow-root
  # \wp option update autoptimize_optimize_checkout "" --allow-root
  # \wp option update autoptimize_optimize_logged ""  --allow-root
  # # \wp option update autoptimize_optimize_logged on --allow-root
  # \wp option update autoptimize_show_adv 1 --allow-root
  \wp option list --search=autoptimize_* --allow-root
  if [[ "$WP_AUTOPTIMIZE_GZIP" = [yY] ]]; then
    # https://community.centminmod.com/threads/15314/
    # https://github.com/centminmod/autoptimize-gzip
    echo
    echo "configure autoptimize-gzip https://community.centminmod.com/threads/15314/"
    mkdir -p "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip"
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/autoptimize-gzip.php" https://github.com/centminmod/autoptimize-gzip/raw/master/autoptimize-gzip.php
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/index.html" https://github.com/centminmod/autoptimize-gzip/raw/master/index.html
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/readme.md" https://github.com/centminmod/autoptimize-gzip/blob/master/readme.md
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/LICENSE" https://github.com/centminmod/autoptimize-gzip/raw/master/LICENSE
    chown -R nginx:nginx "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip"
    \wp plugin activate autoptimize-gzip --allow-root
    \wp plugin status autoptimize-gzip --allow-root
  fi
  cecho "------------------------------------------------------------" $boldgreen
fi

# redis nginx cache
if [[ "$wpscache" = 'redis' ]]; then
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install nginx-helper --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  touch "/home/nginx/domains/${vhostname}/public/wp-content/uploads/nginx-helper/nginx.log"
  chmod 0660 "/home/nginx/domains/${vhostname}/public/wp-content/uploads/nginx-helper/nginx.log"
  chown nginx:nginx "/home/nginx/domains/${vhostname}/public/wp-content/uploads/nginx-helper/nginx.log"
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install autoptimize --activate --allow-root
  \wp option list --search=autoptimize_* --allow-root
  if [[ "$WP_AUTOPTIMIZE_GZIP" = [yY] ]]; then
    # https://community.centminmod.com/threads/15314/
    # https://github.com/centminmod/autoptimize-gzip
    echo
    echo "configure autoptimize-gzip https://community.centminmod.com/threads/15314/"
    mkdir -p "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip"
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/autoptimize-gzip.php" https://github.com/centminmod/autoptimize-gzip/raw/master/autoptimize-gzip.php
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/index.html" https://github.com/centminmod/autoptimize-gzip/raw/master/index.html
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/readme.md" https://github.com/centminmod/autoptimize-gzip/blob/master/readme.md
    wget${ipv_forceopt_wget} -cnv -O "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip/LICENSE" https://github.com/centminmod/autoptimize-gzip/raw/master/LICENSE
    chown -R nginx:nginx "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/autoptimize-gzip"
    \wp plugin activate autoptimize-gzip --allow-root
    \wp plugin status autoptimize-gzip --allow-root
  fi
fi

cecho "------------------------------------------------------------" $boldgreen
\wp plugin install sucuri-scanner --activate --allow-root
cecho "------------------------------------------------------------" $boldgreen
\wp plugin install disable-xml-rpc --activate --allow-root
cecho "------------------------------------------------------------" $boldgreen
\wp plugin install cdn-enabler --activate --allow-root
cecho "------------------------------------------------------------" $boldgreen

if [[ "$WPPLUGINS_ALL" = [yY] ]]; then
  \wp plugin install rocket-lazy-load --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wp-security-scan --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install limit-login-attempts --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wp-updates-notifier --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install no-longer-in-directory --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  # \wp plugin install google-sitemap-generator --activate --allow-root
  # cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wp-optimize --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  # \wp plugin install wp-smushit --activate --allow-root
  # cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install tpc-memory-usage --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install gtmetrix-for-wordpress --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install p3-profiler --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wordpress-seo --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install updraftplus --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install google-analytics-for-wordpress --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install heartbeat-control --activate --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  
  # installed but disabled by default
  # cecho "------------------------------------------------------------" $boldgreen
  # \wp plugin install nginx-helper --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install query-monitor --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install go-newrelic --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install db-cache-reloaded-fix --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install google-authenticator --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install addthis-smart-layers --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install search-regex --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install disable-emojis --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install wp-user-avatar --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  \wp plugin install lazy-load-for-videos --allow-root
  cecho "------------------------------------------------------------" $boldgreen
  #\wp plugin install disable-xml-rpc-pingback --allow-root
  #cecho "------------------------------------------------------------" $boldgreen
fi # WPPLUGINS_ALL=y

# remove hello plugin
\wp plugin uninstall hello --allow-root

# allows user to add custom wp-cli commands after initiall install to
# further customise their installation. you create a custom file at
# /etc/centminmod/customwp_domain.com.inc where domain.com is the 
# intended centmin.sh menu option 22 vhost site domain for your wp
# installation. Then in that file add your wp-cli commands to the file
# wrapped in a shell function named mywpcmds() { yourcode }. i.e. for
# wp language install https://community.centminmod.com/posts/26045/
# the below check will check for /etc/centminmod/customwp_domain.com.inc
# file and then source include it into this routine and run the shell
# function named mywpcmds which contains your custom wp-cli cmds that will
# trigger and run
if [ -f "${CONFIGSCANBASE}/customwp_${vhostname}.inc" ]; then
    # default is at /etc/centminmod/customwp_${vhostname}.inc
    source "${CONFIGSCANBASE}/customwp_${vhostname}.inc"
    mywpcmds
fi

# update all plugins to make sure they are latest available
\wp plugin update --all --allow-root
echo
\wp plugin status --allow-root
cecho "------------------------------------------------------------" $boldgreen

if [[ -f /root/.wp-cli/commands/super-cache/cli.php && "$cacheenabler" != [yY] ]]; then
  \wp super-cache enable --allow-root
fi

chown -R nginx:nginx /home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/plugins/

# sucuri-scanner change SUCURI_DATA_STORAGE path above web root
# /home/nginx/domains/${vhostname}/sucuri_data_storage
if [ -d "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/uploads/sucuri" ]; then
  sucuri_datapath=$(echo "/home/nginx/domains/${vhostname}/sucuri_data_storage" | sed -e 's|/|\\\/|g')
  rm -rf "/home/nginx/domains/${vhostname}/sucuri_data_storage"
  mkdir -p "/home/nginx/domains/${vhostname}/sucuri_data_storage"
  chown nginx:nginx "/home/nginx/domains/${vhostname}/sucuri_data_storage"
  sed -i "s|\"}|\",\"sucuriscan_datastore_path\":\"$sucuri_datapath\"}|" "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/uploads/sucuri/sucuri-settings.php"
  sed -i 's|/|\\/|g' "/home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/uploads/sucuri/sucuri-settings.php"
  ls -lah "/home/nginx/domains/${vhostname}/sucuri_data_storage"
  \cp -Rpf /home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/uploads/sucuri/* "/home/nginx/domains/${vhostname}/sucuri_data_storage"
  cat "/home/nginx/domains/${vhostname}/sucuri_data_storage/sucuri-settings.php"
fi

# write permissions for log
if [ -f wp-content/plugins/tpc-memory-usage/logs/tpcmem.log ]; then
  chmod 0660 wp-content/plugins/tpc-memory-usage/logs/tpcmem.log
fi

# fix tcpmem.css incorrect reference to images
if [ -f wp-content/plugins/tpc-memory-usage/css/tpcmem.css ]; then
  sed -i 's|(images\/|(..\/images\/|g' wp-content/plugins/tpc-memory-usage/css/tpcmem.css
fi

if [[ "$wpscache" = [nN] ]]; then
    if [ -f "/usr/local/nginx/conf/conf.d/${vhostname}.conf" ]; then
        sed -i "s|^  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf|  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|^  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|try_files /wp-content/cache/supercache/\$http_host|#try_files /wp-content/cache/supercache/\$http_host|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|#try_files \$cache_enabler_uri_webp \$cache_enabler_uri|try_files \$cache_enabler_uri_webp \$cache_enabler_uri|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
    fi
    if [ -f "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf" ]; then
        sed -i "s|^  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf|  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|^  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|try_files /wp-content/cache/supercache/\$http_host|#try_files /wp-content/cache/supercache/\$http_host|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|#try_files \$cache_enabler_uri_webp \$cache_enabler_uri|try_files \$cache_enabler_uri_webp \$cache_enabler_uri|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    fi
fi

if [[ "$wpscache" = 'redis' ]]; then
    if [ -f "/usr/local/nginx/conf/conf.d/${vhostname}.conf" ]; then
        sed -i "s|^  #include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;|  include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|^  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|try_files /wp-content/cache/supercache/\$http_host|#try_files /wp-content/cache/supercache/\$http_host|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|#try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;|try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;|" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|include /usr/local/nginx/conf/php-wpsc.conf;|#include /usr/local/nginx/conf/php-wpsc.conf;|g" /usr/local/nginx/conf/conf.d/${vhostname}.conf
        sed -i "s|#include /usr/local/nginx/conf/php-rediscache.conf;|include /usr/local/nginx/conf/php-rediscache.conf;|g" /usr/local/nginx/conf/conf.d/${vhostname}.conf
    fi
    if [ -f "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf" ]; then
        sed -i "s|^  #include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;|  include /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf;|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|^  include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|  #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|try_files /wp-content/cache/supercache/\$http_host|#try_files /wp-content/cache/supercache/\$http_host|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|#try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;|try_files \$uri \$uri/ ${WPSUBDIR}/index.php?\$args;|" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|include /usr/local/nginx/conf/php-wpsc.conf;|#include /usr/local/nginx/conf/php-wpsc.conf;|g" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
        sed -i "s|#include /usr/local/nginx/conf/php-rediscache.conf;|include /usr/local/nginx/conf/php-rediscache.conf;|g" /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
    fi
fi

if [[ "$wpscache" = [nN] ]]; then
  # cache enabler expiry cronjob setup
    DELAY=$(echo ${RANDOM:0:3})
    crontab -l > cronjoblist
    mkdir -p /home/nginx/domains/${vhostname}/cronjobs
    cp cronjoblist /home/nginx/domains/${vhostname}/cronjobs/cronjoblist-before-wp-cacheenabler.txt
    # only insert cronjob if one doesn't already exist
    if [[ -z $(grep "$vhostname cacheenabler cron" cronjoblist) ]]; then
      echo "16 23 * * * echo \"$vhostname cacheenabler cron\" > /dev/null 2>&1; sleep ${DELAY}s > /dev/null 2>&1; rm -rf /home/nginx/domains/${vhostname}/public${WPSUBDIR}/wp-content/cache/cache-enabler/* > /dev/null 2>&1" >> cronjoblist
    fi
    cp cronjoblist /home/nginx/domains/${vhostname}/cronjobs/cronjoblist-after-wp-cacheenabler.txt
    crontab cronjoblist
    rm -rf cronjoblist
    crontab -l
fi

if [[ "$wpscache" = [nN] ]]; then
  if [ -f wp-content/plugins/wp-super-cache/wp-cache-config-sample.php ]; then
    \cp -af wp-content/plugins/wp-super-cache/wp-cache-config-sample.php wp-content/wp-cache-config.php
  fi
  if [ -f wp-content/plugins/wp-super-cache/advanced-cache.php ]; then
    \cp -af wp-content/plugins/wp-super-cache/advanced-cache.php wp-content/advanced-cache.php
  fi
fi
mkdir -p wp-content/cache/
mkdir -p wp-content/cache/supercache/
chown -R nginx:nginx wp-content/
chmod -R 0770 wp-content/cache/
chmod 0750 wp-content
umask 022
fi
########### WP Super Cache End ##############################

  cecho "------------------------------------------------------------" $boldgreen
  cecho "Created uninstall script" $boldyellow
  cecho "/root/tools/wp_uninstall_${vhostname}.sh" $boldyellow
  cecho "------------------------------------------------------------" $boldgreen

cat > "/root/tools/wp_uninstall_${vhostname}.sh" <<END
#/bin/bash
echo "-------------------------------------------------------------------------"
echo "Do you want to uninstall/delete WP install for ${vhostname}"
echo "This will delete all data from /home/nginx/domains/${vhostname}"
echo "including any non-wordpress data installed at /home/nginx/domains/${vhostname}"
echo "This script will NOT delete the database, you will have to manually remove the"
echo "database named: $DB"
echo "Please backup your MySQL database called $DB before deleting"
echo "-------------------------------------------------------------------------"
read -ep "Uninstall WP Install For ${vhostname} [y/n]: " uninstall
echo
if [[ "\$uninstall" != [yY] ]]; then
  exit
fi

rm -rf /usr/local/nginx/conf/conf.d/${vhostname}.conf
rm -rf /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf
rm -rf /home/nginx/domains/${vhostname}
rm -rf /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
rm -rf /usr/local/nginx/conf/wpincludes/${vhostname}/wpsupercache_${vhostname}.conf
rm -rf /root/tools/wp_updater_${vhostname}.sh
rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt
rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key
rm -rf /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.csr
rm -rf /usr/local/nginx/conf/ssl/${vhostname}
rm -rf /usr/local/nginx/conf/wpincludes/${vhostname}/rediscache_${vhostname}.conf
rm -rf /usr/local/nginx/conf/wpincludes/${vhostname}/wpcacheenabler_${vhostname}.conf
rm -rf /root/.acme.sh/${vhostname}
crontab -l > cronjoblist
sed -i "/wp_updater_${vhostname}.sh/d" cronjoblist
sed -i "/\/${vhostname}\/wp-cron.php/d" cronjoblist
sed -i "/$vhostname cacheenabler cron/d" cronjoblist
crontab cronjoblist
rm -rf cronjoblist
pure-pw userdel $ftpuser >/dev/null 2>&1
service nginx restart
END

chmod 0700 /root/tools/wp_uninstall_${vhostname}.sh

  cecho "------------------------------------------------------------" $boldgreen
  cecho "Created wp_updater_${vhostname}.sh script" $boldyellow
  cecho "/root/tools/wp_updater_${vhostname}.sh" $boldyellow
  cecho "------------------------------------------------------------" $boldgreen


if [ -f "/usr/local/nginx/conf/wpincludes/$vhostname/emailfrom.ini" ]; then
  # SETWPADMINEMAIL_FROM=yourcustom-from-emailaddress
  . "/usr/local/nginx/conf/wpincludes/$vhostname/emailfrom.ini"
fi

if [[ "$SETWPADMINEMAIL_FROM" ]]; then
  WPADMINEMAIL_FROM="$SETWPADMINEMAIL_FROM"
else
  WPADMINEMAIL_FROM="$WPADMINEMAIL"
fi

cat > "/root/tools/wp_updater_${vhostname}.sh" <<ENDA
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin:/bin
EMAIL=$WPADMINEMAIL
EMAILFROM=$WPADMINEMAIL_FROM
DT=\$(date +"%d%m%y-%H%M%S")
# set locale temporarily to english
# due to some non-english locale issues
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
export LANGUAGE=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8

{
cd /home/nginx/domains/${vhostname}/public${WPSUBDIR}
echo "/home/nginx/domains/${vhostname}/public${WPSUBDIR}"
#/usr/bin/wp cli update --allow-root
echo "update wp-cli"
rm -rf /usr/bin/wp
wget -${ipv_forceopt}cnv --no-check-certificate https://raw.github.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/bin/wp --tries=3
chmod 0700 /usr/bin/wp
/usr/bin/wp --info --allow-root
/usr/bin/wp plugin status --allow-root
/usr/bin/wp plugin update --all --allow-root | tee .wpcli-status
#/usr/bin/wp core check-update --allow-root

# for major core updates uncomment 3 lines directly below
#/usr/bin/wp core update --allow-root
#/usr/bin/wp core update-db --allow-root
#/usr/bin/wp core update --allow-root

# for minor core updates uncomment 3 lines directly below
#/usr/bin/wp core update --minor --allow-root
#/usr/bin/wp core update-db --allow-root
#/usr/bin/wp core update --minor --allow-root

chown -R nginx:nginx /home/nginx/domains/${vhostname}/public${WPSUBDIR}
if [[ -f .wpcli-status && ! "\$(grep -w 'Plugin already updated' .wpcli-status)" ]]; then
  exec 99>/tmp/wp_updater_phpfpm.lock
  if flock -n -x 99; then
    # only do nginx + php-fpm restarts when zend opcache caching is enabled and revalidation
    # frequency is greater than 10 seconds set by opcache.revalidate_freq php setting
    if [[ "\$(php --ri "Zend Opcache" >/dev/null 2>&1; echo \$?)" -eq '0' && "\$(php --ri "Zend Opcache" | awk '/opcache.revalidate_freq/ {print \$3}')" -gt '10' ]]; then
      service nginx reload
    fi
  rm -rf /tmp/wp_updater_phpfpm.lock
  else
  echo "already detected running process"
  echo "skipping nginx reload"
  fi
fi
rm -rf .wpcli-status
} 2>&1 | tee /home/nginx/domains/${vhostname}/log/wp_updater-\${DT}.log
if [ -f /usr/sbin/sendmail ]; then
sendmail -i \$EMAIL <<END
From: \$EMAILFROM
To: \$EMAIL
Subject: Wordpress WP-CLI Auto Update \$(date)

\$(cat /home/nginx/domains/${vhostname}/log/wp_updater-\${DT}.log)

END
else
  cat -v /home/nginx/domains/${vhostname}/log/wp_updater-\${DT}.log | /usr/bin/tr -cd '\11\12\15\40-\176' | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | dos2unix | mail -r \$EMAILFROM -s "Wordpress WP-CLI Auto Update \$(date)" \$EMAIL
fi
#rm -rf /home/nginx/domains/${vhostname}/log/wp_updater-\${DT}.log
ENDA

chmod 0700 /root/tools/wp_updater_${vhostname}.sh

if [[ -z "$(crontab -l 2>&1 | grep wp_updater_${vhostname}.sh)" ]]; then
    # generate random number of seconds to delay cron start
    # making sure wp_updater for several wordpress nginx installs
    # do not run at very same time during cron scheduling
    crontab -l > cronjoblist

    DELAY=$(echo ${RANDOM:0:3})
    DELAY_DUPCHECK=$(echo $DELAY | cut -c1,2)
    echo $DELAY
    echo $DELAY_DUPCHECK

    # while [[ "$(crontab -l | awk '/ sleep / {print $7}' | grep "$DELAY_DUPCHECK")" ]]; do
    #   cat cronjoblist | awk '/ sleep / {print $7}' | while read s; do 
    #     CRONSLEEP_CHECK=$(echo $s | cut -c1,2)
    #     echo "CRONSLEEP_CHECK = $CRONSLEEP_CHECK"
    #     if [[ "$CRONSLEEP_CHECK" -eq "$DELAY_DUPCHECK" ]]; then
    #       DELAY=$(echo ${RANDOM:0:3})
    #       DELAY_DUPCHECK=$(echo $DELAY | cut -c1,2)
    #       echo $DELAY
    #       echo $DELAY_DUPCHECK
    #     fi
    #   done
    #   echo "final $DELAY"
    #   echo "final $DELAY_DUPCHECK"
    # done

    # ensure random sleep times do not overlap https://community.centminmod.com/posts/51310/
    while [[ "$(cat cronjoblist | awk '/ sleep / {print $7}' | grep -w "$DELAY_DUPCHECK")" ]] && [[ "$(cat cronjoblist | awk '/ sleep / {print $7}' | grep -w "$DELAY")" ]]; do
      DELAY=$(echo ${RANDOM:0:3})
      DELAY_DUPCHECK=$(echo $DELAY | cut -c1,2)
      echo $DELAY
      echo $DELAY_DUPCHECK
      echo "calculated $DELAY"
      echo "calculated $DELAY_DUPCHECK"
    done
    echo "final $DELAY"
    echo "final $DELAY_DUPCHECK"

    mkdir -p /home/nginx/domains/${vhostname}/cronjobs
    cp cronjoblist /home/nginx/domains/${vhostname}/cronjobs/cronjoblist-before-wp-updater.txt
    echo "0 */8 * * * sleep ${DELAY}s > /dev/null 2>&1;/root/tools/wp_updater_${vhostname}.sh >/dev/null 2>&1" >> cronjoblist
    cp cronjoblist /home/nginx/domains/${vhostname}/cronjobs/cronjoblist-after-wp-updater.txt
    crontab cronjoblist
    rm -rf cronjoblist
    crontab -l
fi

echo 
cecho "-------------------------------------------------------------" $boldyellow
if [ -f "${SCRIPT_DIR}/tools/autoprotect.sh" ]; then
  "${SCRIPT_DIR}/tools/autoprotect.sh"
fi

cmservice nginx reload
echo
nginx -t
echo

cmservice php-fpm restart
if [[ "$PUREFTPD_DISABLED" = [nN] ]]; then
  cmservice pure-ftpd restart
fi

if [ -f /tmp/setupwp.log ]; then
  rm -rf /tmp/setupwp.log
fi

if [[ "$LETSENCRYPT_DETECT" = [yY] ]]; then
  if [ -f "${SCRIPT_DIR}/addons/acmetool.sh" ] && [[ "$vhostssl" = 'le' ]]; then
    echo
    cecho "-------------------------------------------------------------" $boldyellow
    echo "ok: ${SCRIPT_DIR}/addons/acmetool.sh"
    chmod +x "${SCRIPT_DIR}/addons/acmetool.sh"
    echo ""${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wptest"
    "${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wptest
    cecho "-------------------------------------------------------------" $boldyellow
    echo
  elif [ -f "${SCRIPT_DIR}/addons/acmetool.sh" ] && [[ "$vhostssl" = 'led' ]]; then
    echo
    cecho "-------------------------------------------------------------" $boldyellow
    echo "ok: ${SCRIPT_DIR}/addons/acmetool.sh"
    chmod +x "${SCRIPT_DIR}/addons/acmetool.sh"
    echo ""${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wptestd"
    "${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wptestd
    cecho "-------------------------------------------------------------" $boldyellow
    echo
  elif [ -f "${SCRIPT_DIR}/addons/acmetool.sh" ] && [[ "$vhostssl" = 'lelive' ]]; then
    echo
    cecho "-------------------------------------------------------------" $boldyellow
    echo "ok: ${SCRIPT_DIR}/addons/acmetool.sh"
    chmod +x "${SCRIPT_DIR}/addons/acmetool.sh"
    echo ""${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wplive"
    "${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wplive
    cecho "-------------------------------------------------------------" $boldyellow
    echo
  elif [ -f "${SCRIPT_DIR}/addons/acmetool.sh" ] && [[ "$vhostssl" = 'lelived' ]]; then
    echo
    cecho "-------------------------------------------------------------" $boldyellow
    echo "ok: ${SCRIPT_DIR}/addons/acmetool.sh"
    chmod +x "${SCRIPT_DIR}/addons/acmetool.sh"
    echo ""${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wplived"
    "${SCRIPT_DIR}/addons/acmetool.sh" issue "$vhostname" wplived
    cecho "-------------------------------------------------------------" $boldyellow
    echo
  fi
  # run lestdebug.net API check
  if [[ "$vhostssl" = 'le' || "$vhostssl" = 'led' || "$vhostssl" = 'lelive' || "$vhostssl" = 'lelived' ]]; then
    run_letsdebug "$vhostname"
  fi
fi

if [[ "$wpcli_ssldefault" = '1' ]]; then
  \wp option update home "https://${vhostname}${WPSUBDIR}"  --allow-root
  \wp option update siteurl "https://${vhostname}${WPSUBDIR}"  --allow-root
fi

# create /usr/local/nginx/conf/wpincludes/${vhostname}/wpinfo.sh
if [ -d "/usr/local/nginx/conf/wpincludes/${vhostname}" ]; then
cat > "/usr/local/nginx/conf/wpincludes/${vhostname}/wpinfo.sh" <<EOF
#!/bin/bash
WPSITE_INSTALLPATH='/home/nginx/domains/${vhostname}/public'
cd \$WPSITE_INSTALLPATH;
wp cli version --allow-root;
echo "WP-Home    \$(wp option get home --allow-root)";
echo "WP-SiteURL \$(wp option get siteurl --allow-root)";
wp core version --extra --allow-root | column -t;
wp user list --role=administrator --allow-root;
wp config list --allow-root;
wp plugin list --allow-root;
wp theme list --allow-root;
EOF
chmod +x /usr/local/nginx/conf/wpincludes/${vhostname}/wpinfo.sh
fi

{
echo 
if [[ "$PUREFTPD_DISABLED" = [nN] ]]; then
cecho "-------------------------------------------------------------" $boldyellow
echo "FTP hostname : $CNIP"
echo "FTP port : 21"
echo "FTP mode : FTP (explicit SSL)"
echo "FTP Passive (PASV) : ensure is checked/enabled"
echo "FTP username created for $vhostname : $ftpuser"
echo "FTP password created for $vhostname : $ftppass"
fi
cecho "-------------------------------------------------------------" $boldyellow
cecho "vhost for $vhostname created successfully" $boldwhite
echo
if [[ "$wpcli_ssldefault" != '1' ]]; then
  cecho "domain: http://$vhostname" $boldyellow
  cecho "vhost conf file for $vhostname created: /usr/local/nginx/conf/conf.d/$vhostname.conf" $boldwhite
fi
if [[ "$vhostssl" = [yY] ]] || [[ "$vhostssl" = 'le' ]] || [[ "$vhostssl" = 'led' ]] || [[ "$vhostssl" = 'lelive' ]] || [[ "$vhostssl" = 'lelived' ]]; then
  echo
  cecho "vhost ssl for $vhostname created successfully" $boldwhite
  echo
  cecho "domain: https://$vhostname" $boldyellow
  cecho "vhost ssl conf file for $vhostname created: /usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf" $boldwhite
  cecho "/usr/local/nginx/conf/ssl_include.conf created" $boldwhite
  cecho "Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt" $boldyellow
  cecho "SSL Private Key: /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key" $boldyellow
  cecho "SSL CSR File: /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.csr" $boldyellow
  cecho "Backup SSL Private Key: /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-backup.key" $boldyellow
  cecho "Backup SSL CSR File: /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-backup.csr" $boldyellow  
  if [[ "$LETSENCRYPT_DETECT" = [yY] ]]; then
    cecho "letsdebug API check log: ${CENTMINLOGDIR}/letsdebug-${vhostname}-${DT}.log" $boldyellow
  fi
fi
echo
cecho "upload files to /home/nginx/domains/$vhostname/public" $boldwhite
cecho "vhost log files directory is /home/nginx/domains/$vhostname/log" $boldwhite
echo
cecho "------------------------------------------------------------" $boldgreen
cecho "SSH commands to uninstall created Wordpress install and Nginx vhost:" $boldyellow
cecho "  /root/tools/wp_uninstall_${vhostname}.sh" $boldyellow
cecho "------------------------------------------------------------" $boldgreen
echo
cecho "------------------------------------------------------------" $boldgreen
cecho "Wordpress Auto Updater created at:" $boldyellow
cecho "  /root/tools/wp_updater_${vhostname}.sh" $boldyellow
cecho "cronjob set for every 8 hours update (3x times per day)" $boldyellow
cecho "------------------------------------------------------------" $boldgreen
echo
cecho "Wordpress domain: $vhostname" $boldyellow
cecho "Wordpress DB Name: $DB" $boldyellow
cecho "Wordpress DB User: $DBUSER" $boldyellow
cecho "Wordpress DB Pass: $DBPASS" $boldyellow
cecho "Wordpress Admin User ID: ${WUID}" $boldyellow
cecho "Wordpress Admin User: $WPADMINUSER" $boldyellow
cecho "Wordpress Admin Pass: $WPADMINPASS" $boldyellow
cecho "Wordpress Admin Email: $WPADMINEMAIL" $boldyellow
if [[ "$setdisplayname" = [yY] ]]; then
  cecho "Wordpress Admin Display Name: $WPADMIN_DISPLAYNAME" $boldyellow
fi

if [[ "$disablepwdprotect" != [yY] ]]; then
  if [[ -f /usr/local/nginx/conf/htpasswd.sh && -f /home/nginx/domains/$vhostname/htpasswd_wplogin ]]; then
    echo  
    cecho "Wordpress wp-login.php password protection info:" $boldyellow
    cecho "wp-login.php protection file /home/nginx/domains/$vhostname/htpasswd_wplogin" $boldyellow
    cecho "wp-login.php protection Username: $HTUSER" $boldyellow
    cecho "wp-login.php protection Password: $HTPASS" $boldyellow
    if [[ "$wpcli_ssldefault" = '1' ]]; then
      cecho "https://${HTUSER}:${HTPASS}@${vhostname}${WPSUBDIR}/wp-login.php" $boldyellow
    else
      cecho "http://${HTUSER}:${HTPASS}@${vhostname}${WPSUBDIR}/wp-login.php" $boldyellow
    fi
    echo
    cecho "Resetting wp-login.php protection:" $boldyellow
    cecho "Step 1. remove protection file at /home/nginx/domains/$vhostname/htpasswd_wplogin" $boldyellow
    cecho "     rm -rf /home/nginx/domains/$vhostname/htpasswd_wplogin" $boldyellow
    cecho "Step 2. run command:" $boldyellow
    cecho "     /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhostname/htpasswd_wplogin YOURUSERNAME YOURPASSWORD" $boldyellow
    cecho "Step 3. restart Nginx + PHP-FPM services" $boldyellow
    cecho "     nprestart" $boldyellow
  fi
elif [[ "$disablepwdprotect" = [yY] ]]; then
    # disable wp-login.php password protection if user opts to do so
    sed -i "s|auth_basic \"Private\"|#auth_basic \"Private\"|" /usr/local/nginx/conf/conf.d/$vhostname.conf >/dev/null 2>&1
    sed -i "s|auth_basic_user_file \/home\/nginx\/domains\/$vhostname\/htpasswd_wplogin|#auth_basic_user_file \/home\/nginx\/domains\/$vhostname\/htpasswd_wplogin|" /usr/local/nginx/conf/conf.d/$vhostname.conf >/dev/null 2>&1
    if [[ "$vhostssl" = [yY] ]] || [[ "$vhostssl" = 'le' ]] || [[ "$vhostssl" = 'led' ]] || [[ "$vhostssl" = 'lelive' ]] || [[ "$vhostssl" = 'lelived' ]]; then
      sed -i "s|auth_basic \"Private\"|#auth_basic \"Private\"|" /usr/local/nginx/conf/conf.d/$vhostname.ssl.conf >/dev/null 2>&1
      sed -i "s|auth_basic_user_file \/home\/nginx\/domains\/$vhostname\/htpasswd_wplogin|#auth_basic_user_file \/home\/nginx\/domains\/$vhostname\/htpasswd_wplogin|" /usr/local/nginx/conf/conf.d/$vhostname.ssl.conf >/dev/null 2>&1
    fi
    service nginx reload
fi

echo
cecho "-------------------------------------------------------------" $boldyellow
cecho "Current vhost listing at: /usr/local/nginx/conf/conf.d/" $boldwhite
echo
ls -Alhrt /usr/local/nginx/conf/conf.d/ | awk '{ printf "%-4s%-4s%-8s%-6s %s\n", $6, $7, $8, $5, $9 }'

if [[ "$vhostssl" = [yY] ]] || [[ "$vhostssl" = 'le' ]] || [[ "$vhostssl" = 'led' ]] || [[ "$vhostssl" = 'lelive' ]] || [[ "$vhostssl" = 'lelived' ]]; then
echo
cecho "-------------------------------------------------------------" $boldyellow
cecho "Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/${vhostname}" $boldwhite
echo
ls -Alhrt /usr/local/nginx/conf/ssl/${vhostname} | awk '{ printf "%-4s%-4s%-8s%-6s %s\n", $6, $7, $8, $5, $9 }'
fi

if [[ "$vhostssl_opt" -eq '2' || "$vhostssl_opt" -eq '4' ]] && [[ "$ISCF_ACHECK" = 'Cloudflare' || "$ISCF_ACHECK" = 'cloudflare' ]]; then
  cecho "-------------------------------------------------------------" $boldyellow
  echo "If using Cloudflare in front of site, disable CF option for"
  echo "Always Use HTTPS in CF Dashboard Crypto Tab as Nginx will do"
  echo "the non-https to https redirect on this end and not require"
  echo "Cloudflare's Always Use HTTPS. If enabled it will cause the"
  echo "error message: too many redirects"
  echo
  echo "Also change Cloudflare Flexible SSL to Full SSL non-strict mode"
fi

echo
cecho "------------------------------------------------------------" $boldgreen
cecho "To complete setup:" $boldyellow
if [[ "$wpscache" = [nN] ]]; then
  cecho "  1. Enable Permalinks (DO NOT use links with .html extensions for performance reasons) i.e. /%post_id%/%postname%/
  2. Settings Menu > Cache Enabler set options and hit Save Changes (https://community.centminmod.com/threads/15039/)
  3. Settings Menu > Optimus set options and hit Save Changes
  4. Appearance > Theme Options (Responsive theme) > Home Page nav bar > Uncheck Overrides Wordpress front page option"
  if [[ "$WPPLUGINS_ALL" = [yY] ]]; then
  cecho "5. WP Security Menu > Settings > Check All except Enable Live Traffic tool and hit Update settings
  6. Settings Menu > Updates Notifier and setup your notify email address and cronjob (save and test button to check)
  7. Settings Mnenu > Autoptimize and check Optimize HTML, JavaScript and CSS options (show advanced settings)
  8. Settings Menu > Limit Login Attempts and configure as desired or leave as defaults
  9. Sucuri Security Menu and top left click Generate API key for your domain/email and configure your Settings tab
  10. WP-Optimize Menu and configure as needed
  11. Memory Usage Menu > Settings and adjust accordingly
  12. GTmetrix Menu > setup and register your GTmetrix Account and API Key
  13. go-newrelic plugin installed but not activated read https://wordpress.org/plugins/go-newrelic/installation/
  14. Tools > P3 Plugin Profiler > Start Scan to profile all your plugins
  15. Plugins > Query Monitor is disabled by default, enable to check MySQL query stats
  16. Plugins > DB Cache Reloaded disabled by default unsure if works with Wordpress 4.x ?
  17. Seo Menu (Yoast SEO) > configure accordingly
  18. Settings > UpdraftPlus Backups > Settings set file/database backup intervals & optional backup to remote storage
  19. Analytics > Settings > configure your Google Analytics UA Code" $boldyellow
  fi
  cecho "------------------------------------------------------------" $boldgreen
elif [[ "$wpscache" = [yY] ]]; then
  cecho "  1. Enable Permalinks (DO NOT use links with .html extensions for performance reasons) i.e. /%post_id%/%postname%/
  2. Settings Menu > Super Cache > Easy tab and enable it by checking Caching On (Recommended) and hit Update Status
  3. Advanced tab & check Use mod_rewrite serve cache files & Don’t cache pages with GET parameters and Known User. 
    (Recommended), Cache rebuild for anonymous users, clear all cache when a post or page updated & hit Update Status
  4. Appearance > Theme Options (Responsive theme) > Home Page nav bar > Uncheck Overrides Wordpress front page option"
  if [[ "$WPPLUGINS_ALL" = [yY] ]]; then
  cecho "
  5. WP Security Menu > Settings > Check All except Enable Live Traffic tool and hit Update settings
  6. Settings Menu > Updates Notifier and setup your notify email address and cronjob (save and test button to check)
  7. Settings Mnenu > Autoptimize and check Optimize HTML, JavaScript and CSS options (show advanced settings)
  8. Settings Menu > Limit Login Attempts and configure as desired or leave as defaults
  9. Sucuri Security Menu and top left click Generate API key for your domain/email and configure your Settings tab
  10. WP-Optimize Menu and configure as needed
  11. Memory Usage Menu > Settings and adjust accordingly
  12. GTmetrix Menu > setup and register your GTmetrix Account and API Key
  13. go-newrelic plugin installed but not activated read https://wordpress.org/plugins/go-newrelic/installation/
  14. Tools > P3 Plugin Profiler > Start Scan to profile all your plugins
  15. Plugins > Query Monitor is disabled by default, enable to check MySQL query stats
  16. Plugins > DB Cache Reloaded disabled by default unsure if works with Wordpress 4.x ?
  17. Seo Menu (Yoast SEO) > configure accordingly
  18. Settings > UpdraftPlus Backups > Settings set file/database backup intervals & optional backup to remote storage
  19. Analytics > Settings > configure your Google Analytics UA Code" $boldyellow
  fi
  cecho "------------------------------------------------------------" $boldgreen
elif [[ "$wpscache" = 'redis' ]]; then
  cecho "  1. Enable Permalinks (DO NOT use links with .html extensions for performance reasons) i.e. /%post_id%/%postname%/
  2. Settings Menu > Nginx Helper Enable Purging set Caching Method to Redis Cache, & set Purging Conditions
  3. Settings Menu > CDN Enabler and set CDN up or disable plugin
  4. Appearance > Theme Options (Responsive theme) > Home Page nav bar > Uncheck Overrides Wordpress front page option"
  if [[ "$WPPLUGINS_ALL" = [yY] ]]; then
  cecho "5. WP Security Menu > Settings > Check All except Enable Live Traffic tool and hit Update settings
  6. Settings Menu > Updates Notifier and setup your notify email address and cronjob (save and test button to check)
  7. Settings Mnenu > Autoptimize and check Optimize HTML, JavaScript and CSS options (show advanced settings)
  8. Settings Menu > Limit Login Attempts and configure as desired or leave as defaults
  9. Sucuri Security Menu and top left click Generate API key for your domain/email and configure your Settings tab
  10. WP-Optimize Menu and configure as needed
  11. Memory Usage Menu > Settings and adjust accordingly
  12. GTmetrix Menu > setup and register your GTmetrix Account and API Key
  13. go-newrelic plugin installed but not activated read https://wordpress.org/plugins/go-newrelic/installation/
  14. Tools > P3 Plugin Profiler > Start Scan to profile all your plugins
  15. Plugins > Query Monitor is disabled by default, enable to check MySQL query stats
  16. Plugins > DB Cache Reloaded disabled by default unsure if works with Wordpress 4.x ?
  17. Seo Menu (Yoast SEO) > configure accordingly
  18. Settings > UpdraftPlus Backups > Settings set file/database backup intervals & optional backup to remote storage
  19. Analytics > Settings > configure your Google Analytics UA Code" $boldyellow
  fi
  cecho "------------------------------------------------------------" $boldgreen
fi
} 2>&1 | tee /tmp/setupwp.log
if [ -f /usr/sbin/sendmail ]; then
sendmail -i $WPADMINEMAIL <<END
From: $WPADMINEMAIL_FROM
To: $WPADMINEMAIL
Subject: ${vhostname} Wordpress Installed $(date)

$(cat /tmp/setupwp.log)

END
else
cat -v /tmp/setupwp.log | /usr/bin/tr -cd '\11\12\15\40-\176' | perl -pe 's/\x1b.*?[mGKH]//g' | dos2unix | mail -r $WPADMINEMAIL_FROM -s "${vhostname} Wordpress Installed `date`" $WPADMINEMAIL
fi
cp -a /tmp/setupwp.log "${CENTMINLOGDIR}/setupwp-$(date +"%d%m%y-%H%M%S").log"
rm -rf /tmp/setupwp.log

  # control variables after vhost creation
  # whether cloudflare.conf include file is uncommented (enabled) or commented out (disabled)
  if [[ "$VHOSTCTRL_CLOUDFLAREINC" = [yY] ]]; then
    if [ -f "/usr/local/nginx/conf/conf.d/$vhostname.conf" ]; then
      sed -i "s|^  #include \/usr\/local\/nginx\/conf\/cloudflare.conf;|  include \/usr\/local\/nginx\/conf\/cloudflare.conf;|g" "/usr/local/nginx/conf/conf.d/$vhostname.conf"
    fi
    if [ -f "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf" ]; then
      sed -i "s|^  #include \/usr\/local\/nginx\/conf\/cloudflare.conf;|  include \/usr\/local\/nginx\/conf\/cloudflare.conf;|g" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
    fi
  fi
  # whether autoprotect-$vhostname.conf include file is uncommented (enabled) or commented out (disabled)
  if [[ "$VHOSTCTRL_AUTOPROTECTINC" = [nN] ]]; then
    if [ -f "/usr/local/nginx/conf/autoprotect/$vhostname/autoprotect-$vhostname.conf" ]; then
      if [ -f "/usr/local/nginx/conf/conf.d/$vhostname.conf" ]; then
        sed -i "s|^  include \/usr\/local\/nginx\/conf\/autoprotect\/$vhostname\/autoprotect-$vhostname.conf;|  #include \/usr\/local\/nginx\/conf\/autoprotect\/$vhostname\/autoprotect-$vhostname.conf;|g" "/usr/local/nginx/conf/autoprotect/$vhostname/autoprotect-$vhostname.conf"
      fi
      if [ -f "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf" ]; then
        sed -i "s|^  include \/usr\/local\/nginx\/conf\/autoprotect\/$vhostname\/autoprotect-$vhostname.conf;|  #include \/usr\/local\/nginx\/conf\/autoprotect\/$vhostname\/autoprotect-$vhostname.conf;|g" "/usr/local/nginx/conf/conf.d/${vhostname}.ssl.conf"
      fi
    fi
  fi

# make sure all wordpress installed files are owned by nginx user/group
chown -R nginx:nginx /home/nginx/domains/${vhostname}/public

echo
cecho "-------------------------------------------------------------" $boldyellow
cecho "vhost for $vhostname wordpress setup successfully" $boldwhite
cecho "$vhostname setup info log saved at: " $boldwhite
cecho "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost.log" $boldwhite
cecho "-------------------------------------------------------------" $boldyellow
cecho "wpinfo.sh script saved at:" $boldwhite
cecho "/usr/local/nginx/conf/wpincludes/${vhostname}/wpinfo.sh" $boldwhite
cecho "-------------------------------------------------------------" $boldyellow
echo ""
if [[ -f "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost.log" ]]; then
  # populate plain text logs for QR Code generation
  touch "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins.log"  
if [[ "$PUREFTPD_DISABLED" = [nN] ]]; then
  touch "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-ftp.log"
cat >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-ftp.log" <<EOF
FTP hostname: $CNIP
FTP port: 21
FTP mode: FTP (explicit SSL)
FTP Passive (PASV): ensure is checked/enabled
FTP username: $ftpuser
FTP password: $ftppass
EOF
fi
cat >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins.log" <<EOF
Wordpress Info
domain: $vhostname
DB Name: $DB
DB User: $DBUSER
DB Pass: $DBPASS
Admin User: $WPADMINUSER
Admin Pass: $WPADMINPASS
Admin Email: $WPADMINEMAIL
EOF
if [[ "$setdisplayname" = [yY] ]]; then
cat >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins.log" <<EOF
Wordpress Admin Display Name: $WPADMIN_DISPLAYNAME
EOF
fi
if [[ "$disablepwdprotect" != [yY] ]]; then
  if [[ -f /usr/local/nginx/conf/htpasswd.sh && -f /home/nginx/domains/$vhostname/htpasswd_wplogin ]]; then
    touch "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    echo  >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    echo "wp-login.php password protection info:" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    echo "wp-login.php protection file /home/nginx/domains/$vhostname/htpasswd_wplogin" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    echo "wp-login.php protection Username: $HTUSER" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    echo "wp-login.php protection Password: $HTPASS" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    if [[ "$wpcli_ssldefault" = '1' ]]; then
      echo "https://${HTUSER}:${HTPASS}@${vhostname}${WPSUBDIR}/wp-login.php" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    else
      echo "http://${HTUSER}:${HTPASS}@${vhostname}${WPSUBDIR}/wp-login.php" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    fi
    # echo >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "Resetting wp-login.php protection:" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "Step 1. remove protection file at /home/nginx/domains/$vhostname/htpasswd_wplogin" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "     rm -rf /home/nginx/domains/$vhostname/htpasswd_wplogin" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "Step 2. run command:" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "     /usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/$vhostname/htpasswd_wplogin YOURUSERNAME YOURPASSWORD" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "Step 3. restart Nginx + PHP-FPM services" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
    # echo "     nprestart" >> "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log"
  fi
fi
  if [[ "$QRCODE" = [yY] && -f /usr/bin/qrencode ]]; then
    if [[ -f "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log" ]]; then
      echo
      echo "wp-login.php HTTP Password login details QR Code"
      echo
      cat -v "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-http-pass.log" | \qrencode -t ansiutf8
    fi
    if [[ -f "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-ftp.log" ]]; then
      echo
      echo "Pure-FTPD FTP login details QR Code"
      echo
      cat -v "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins-ftp.log" | \qrencode -t ansiutf8
    fi
    if [[ -f "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins.log" ]]; then
      echo
      echo "Wordpress login details QR Code"
      echo
      cat -v "${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_wordpress_addvhost_${vhostname}-logins.log" | \qrencode -t ansiutf8
    fi
    echo
  fi
fi

else

echo ""
cecho "-------------------------------------------------------------" $boldyellow
cecho "vhost for $vhostname already exists" $boldwhite
cecho "/home/nginx/domains/$vhostname already exists" $boldwhite
cecho "-------------------------------------------------------------" $boldyellow
echo ""

fi

}