# DigitechFlow WordPress Stack

This repository contains a hardened Docker Compose stack for the DigitechFlow WordPress deployment. It runs MySQL, WordPress (PHP-FPM), Nginx, and Valkey (Redis-compatible cache) with sensible defaults.

## Prerequisites
- Docker Engine + Docker Compose V2
- Traefik network (`traefik_default`) already present for routing/SSL
- Host directories writable for `db_data/`, `wordpress_data/`, and `redis_data/`

## Getting Started
1. Copy the environment template and fill in secrets:
   ```bash
   cp .env.example .env
   # Edit .env to use strong unique values (DB creds, salts)
   ```
2. Bring up the stack:
   ```bash
   docker compose up -d
   ```
3. Access WordPress via the configured Traefik domain (e.g., https://digitechflow.com).

## Services
- **db**: `mysql:latest` with persistent volume `db_data/`.
- **wordpress**: `wordpress:php8.3-fpm` serving PHP over FastCGI.
- **wpcli_seed**: one-shot `wordpress:cli` job that installs/activates plugins listed in `config/plugins.txt`.
- **wordpress_nginx**: `nginx:latest` front-end with custom config tuned for Traefik and FastCGI.
- **redis**: `valkey/valkey:latest` for object caching with persistence and healthcheck.

## Configuration Highlights
- Secrets and database settings sourced from `.env`; the template (`.env.example`) documents required keys.
- `config/nginx/default.conf` contains gzip, caching, and FastCGI tuning. Adjust if you need custom routes.
- `wordpress.ini` sets PHP limits and Opcache recommendations.
- Local data directories (`db_data/`, `wordpress_data/`, `redis_data/`) plus `wp-config.php` are gitignored to prevent leaking content/secrets.
- `config/plugins.txt` lists plugin slugs to auto-install. Add one per line and rerun `docker compose up wpcli_seed`.

### Managing the plugin seed list
`config/plugins.txt` is a newline-delimited list of plugin slugs (directory names from wordpress.org). To ensure a plugin is installed and active whenever this stack boots:

1. Add the slug to the file, e.g. `wordpress-seo`.
2. Run `docker compose up wpcli_seed`. The one-shot `wordpress:cli` container will wait for WordPress to be ready, install any missing plugins from the list, and activate them.
3. Repeat whenever you add/remove required plugins. Existing installations are left untouched unless they match entries in the file (in which case they’re only ensured active).

## Operations
- Update images: `docker compose pull && docker compose up -d`.
- View logs: `docker compose logs -f <service>`.
- Run WordPress CLI tasks: `docker compose exec wordpress wp <command>` (install WP-CLI first if needed).

## Security Notes
- Always use unique, strong passwords in `.env` and rotate them periodically.
- Regenerate WordPress auth salts via https://api.wordpress.org/secret-key/1.1/salt/ and store them in `.env`.
- Ensure Traefik enforces HTTPS and apply rate limiting/WAF middleware as needed.
- Schedule backups (database dumps + `wordpress_data`) off-host; the stack does not include automated backups by default.

## Troubleshooting
- Bad gateway from Nginx usually means PHP-FPM isn’t reachable; check `docker compose logs wordpress wordpress_nginx`.
- If Compose warns about `version: '3'`, you can remove that line—it’s optional with Compose V2.
- Ensure the Traefik network exists: `docker network ls | grep traefik_default`.