Custom PHP 8 + MySQL CMS, OWASP Top 10 hardened. No frameworks, no third-party
services, CSP locked to 'self'.
Upload everything to htdocs/ on InfinityFree. Notes:
sql/ must be uploaded too — install.php reads sql/schema.sql from disk
(web access to the folder is denied by sql/.htaccess).assets/vendor/README.md first: download prism.js and
chart.min.js into assets/vendor/ (optional but recommended)Create two PNG icons in assets/icons/: icon-192.png, icon-512.png
(export from favicon.svg).
InfinityFree control panel → MySQL Databases → create one. Note the host / db name / username / password.
Visit https://byte.pro.bd/install.php, fill in DB + first admin
(password min 12 chars). The installer:
config/config.php with a random 64-hex secret keyconfig/install.lockThen delete install.php from the server. Non-negotiable.
/admin/* (the .htaccess no-store headers
already tell it to, this is belt-and-braces).The app reads visitor IPs from CF-Connecting-IP only when the request
actually comes from Cloudflare’s published ranges (config/security.php),
so brute-force lockouts hit the real attacker, not the proxy. If Cloudflare
adds new ranges later, update ipFromCloudflare() from cloudflare.com/ips.
?i=1 redirect) can break feed.php / sitemap.php
for bots. Test with curl -A "Googlebot" after DNS moves to Cloudflare —
proxied traffic usually skips the check.mail() is unreliable there — that’s why contact messages go to the DB.install.php deleted from serverhttps://byte.pro.bd/config/config.php returns 403/404 (not code!)https://byte.pro.bd/protected_uploads/ returns 403<script>alert(1)</script> renders as textdownload.php?file=../../etc/passwd → 404config/ DB + security core (web access denied)
includes/ helpers, auth, TOTP, markdown (web access denied)
admin/ 2FA-protected panel (login, dashboard, posts, comments,
messages, files, subscribers, analytics, logs, backup, settings)
api/ react.php + comment-vote.php (CSRF-protected endpoints)
assets/ css / js / icons / vendor
sql/ schema.sql (installer), sample-posts.sql (optional),
upgrade-v2.sql (ONLY for upgrading a pre-v2 database)
*.php public pages
Included on top of the original build:
/author.php?id=N) + byline on posts?),
interactive terminal on About, Konami code easter egg 🎮Upgrading an existing pre-v2 database? Run sql/upgrade-v2.sql in
phpMyAdmin once. Fresh installs need nothing — schema.sql has it all.
/admin/login.php (password → TOTP)hash_equals)security_logs (viewer: /admin/logs.php)