enlivenapp / pubvana
Pubvana CMS v2 — a modern blogging and content management system built on CodeIgniter 4 and Shield.
Maintainers
Requires
- php: ^8.2
- abraham/twitteroauth: ^8.1
- codeigniter4/framework: ^4.7
- codeigniter4/queue: ^1.0
- codeigniter4/settings: ^2.2
- codeigniter4/shield: ^1.2
- codeigniter4/tasks: ^1.0
- erusev/parsedown: ^1.8
- league/oauth2-client: ^2.9
- league/oauth2-facebook: ^2.2
- league/oauth2-google: ^4.1
- spomky-labs/otphp: ^11.4
Requires (Dev)
- fakerphp/faker: ^1.9
- mikey179/vfsstream: ^1.6
- phpunit/phpunit: ^10.5.16
README
Blogging and Small Business CMS
Pubvana v2 is a full rewrite of Pubvana v1.x built on CodeIgniter 4, Authentication with Shield, a modern admin UI, dual content editors, theme, plugin & widget system, built-in marketplace, and many new features. We aim for Pubvana to be lean and fast without the bloat of other CMS and Blog software available.
These instructions are for users comfortable with the command line and terminal. If you'd prefer a streamlined experience, [go here: placeholder].
For Developers
Developers looking to build themes or widgets for Pubvana can find everything they need in these guides:
- ThemeBuilder.md — Complete theme development guide
- WidgetBuilder.md — Complete widget development guide
- PluginBuilder.md — Complete plugin development guide
Installation
1. Prerequisites
Before installing, make sure you have:
- PHP 8.2+ with required extensions (see Requirements below)
- Composer (getcomposer.org)
- MySQL 5.7+ or MariaDB 10.3+
- A web server (Apache with mod_rewrite, or Nginx)
Create an empty MySQL database and a user with full privileges on it. You'll need the database name, username, and password for the next steps.
2. Download
For Production : for site owners deploying Pubvana as is:
Navigate to the directory you wish to use for the project root.
cd ~/public_html/
Install Pubvana from Packagist. (Note the '.' to install into your current directory)
composer create-project enlivenapp/pubvana .
For Development : for contributors who want to run tests, build additional features and work on the codebase:
git clone https://github.com/enlivenapp/pubvana.git
cd pubvana
composer install
The remaining steps apply to production and development environments.
3. Configure
Open the sample environment file in a text editor or Vim/Nano:
Edit these lines at a minimum: (uncomment (remove #))
CI_ENVIRONMENT = production # or development
app.baseURL = 'https://your-domain.com/'
database.default.hostname = localhost
database.default.database = your_database_name
database.default.username = your_database_user
database.default.password = your_database_password
Set CI_ENVIRONMENT to production for a live site or development for local
work. Leaving this commented defaults to the production environment
Save this file as .env
4. Initialize
On the command line run these commands separately.
php spark key:generate php spark migrate --all php spark db:seed DatabaseSeeder
Then create your admin user:
php spark shield:user create -n yourusername -e you@example.com php spark shield:user password -e you@example.com php spark shield:user addgroup -e you@example.com -g superadmin
The first command creates the account, the second prompts you to set a password, and the third assigns the superadmin role.
5. Web Server
Point your web server to the public/ folder. https://your-server/path-to-pubvana. You should see the homepage of your new website.
6. Log In
Visit https://your-server/path-to-pubvana/login and sign in with the admin credentials you created in step 4.
7. File and Directory Structure
Your web host serves files from the directory where index.php lives Detailed Information. Pubvana uses the default CodeIgniter ~DOC_ROOT/public/ setup and attempts to forward traffic to /public/index.php with clean URLs. To increase security or if an .htaccess won't be honored (Nginx), you can change where these files reside on the server or edit your Nginx config file. Check the link above for detailed information how to move core files outside the web root, index.php into the root folder public_html on shared servers.
8. Theme Assets and Media
Theme Assets and Media: Theme assets and media uploads are stored inside the web server's document root automatically. No symlinks are needed. Visit Admin → Themes to ensure theme assets are published.
Quick troubleshooting: If writable/sessions, writable/cache, and writable/logs are not writable by the web user, CodeIgniter will give the white screen of death when the environment is set to production. You may find the exact reason in the web server's logs (not CodeIgniter's). If you're having significant trouble diagnosing the issue, set CI_ENVIRONMENT = development temporarily in your .env file which will show the debug bar and (likely) the exception causing the issue. CodeIgniter Doc - Running Your App | CodeIgniter Troubleshooting
CLI Commands
| Command | Description |
|---|---|
php spark wp:import <file> |
Import posts/pages/tags from a WordPress WXR export file |
php spark posts:publish |
Publish scheduled posts whose publish date has passed |
php spark links:check |
Scan all published posts and pages for broken external links |
php spark marketplace:revalidate |
Re-validate installed premium item licences against pubvana.net |
php spark pubvana:update [--dry-run] |
Check for and apply Pubvana core updates |
Cron Jobs
Scheduled post publishing requires a cron job. Add to crontab by command line:
* * * * * path/to/php /path/to/pubvana/spark posts:publish >> /dev/null 2>&1
Often it's easier to create Crons in your web control panel (CPanel/DirectAdmin). To help:
* * * * *are the time slots.path/to/php /path/to/pubvana/spark posts:publishCommand to rundev/null 2>&1fancy way to say throw it away. You have more choices in your control panel.
Run path/to/php /path/to/pubvana/spark links:check as needed (e.g. weekly) — to automate checking for broken links, results appear in Admin → Broken Links.
Requirements
- PHP 8.2+
- MySQL 5.7+ / MariaDB 10.3+
- Composer (highly recommended)
- Apache
mod_rewrite(or Nginx equivalent) - PHP extensions:
intl,mbstring,json,mysqlnd,gd,zip
Stack (v2)
| Layer | Technology |
|---|---|
| Framework | CodeIgniter 4.7 |
| Authentication | CodeIgniter Shield |
| Admin UI | SB Admin 2 (Bootstrap 4 + jQuery) |
| Public theme | Bootstrap 5 + Font Awesome 6 |
| HTML editor | Summernote |
| Markdown editor | SimpleMDE |
Features (v2)
- Posts & Pages with draft/published/scheduled workflow
- Dual content editor — WYSIWYG HTML or Markdown, selectable per post
- Theme system with sandboxed .tpl engine, widget areas, theme options, and framework-agnostic widgets
- 8 built-in widgets with drag-and-drop area management
- Configurable front page — blog index or any static page
- Marketplace — browse and install free themes & widgets (live API + cache + mock fallback)
- Role-based access — superadmin, admin, editor, author, subscriber
- Media library with auto-generated thumbnails
- Navigation manager with drag-and-drop reordering
- Comment moderation — approve, spam, or trash
- SEO — per-post meta, sitemap.xml, RSS feed, Google Analytics
- 301/302 redirect manager
- Social links manager
- Author profiles with bio cards on posts
- Social OAuth login (Google, Facebook)
- Social auto-share on publish (Twitter, Facebook)
- WordPress importer (admin UI +
php spark wp:importCLI) - Post revision history with one-click restore
Security
Reporting a Vulnerability
Please do not open a public issue for security vulnerabilities. Email security reports to cs@pubvana.net. We aim to respond within 48 hours and will credit reporters in the changelog.
hCaptcha (Spam Protection)
Pubvana uses hCaptcha (privacy-respecting, non-Google) to protect comment forms and the contact form from spam bots. hCaptcha is free for most sites.
Setup:
- Sign up at hcaptcha.com (free)
- Create a new site and copy the site key and secret key
- Add to your
.env:
HCAPTCHA_SITE_KEY = your-site-key
HCAPTCHA_SECRET_KEY = your-secret-key
If these keys are not set, hCaptcha is silently skipped — safe for local development. Once configured, the widget appears automatically on the comment form and contact page.
Production Hardening Checklist
Before deploying to a public server:
- Set
CI_ENVIRONMENT = productionin.env— disables stack traces and debug output - Use a strong password for your admin account
- Set
app.baseURLto your actual domain in.env - Set
app.forceGlobalSecureRequests = trueinapp/Config/App.phpto enforce HTTPS and send HSTS headers - Enable CSP: set
app.CSPEnabled = trueinapp/Config/App.phpand configure a policy appropriate to your theme - Verify your web server's DocumentRoot points to
public/— this keepswritable/(sessions, cache, logs) outside the web root automatically - Ensure
.envhas permissions600and is not committed to version control - Run
php spark key:generateonce per installation — do not reuse encryption keys across sites
Content Security Note
Post, page, and widget content is stored and rendered as raw HTML. This is intentional — administrators are trusted to write HTML directly. If your site allows editors or authors to submit HTML content, consider adding server-side HTML sanitization (e.g. HTML Purifier) to your post-save pipeline before rendering untrusted content.
Security Fixes Log
| Version | Fix |
|---|---|
| 2.2.3 | DB dump escaping fixed: replaced escapeLikeString() with escape() — old method could corrupt or expose data in backup SQL dumps |
| 2.2.2 | Theme and widget sandboxing: custom .tpl template engine with whitelisted filters and tag functions replaces raw PHP execution. No PHP files permitted in theme or widget directories — themes and widgets are pure .tpl templates + JSON manifests. PHP validation warnings shown in admin if violations detected. Eliminates arbitrary code execution via uploaded or modified themes/widgets. |
| 2.2.2 | CSRF fields exposed to theme templates; comment form uses proper CSRF tag |
| 2.2.0 | Honeypot spam protection re-enabled on comment and contact form POST routes; field name changed from honeypot to website_url to reduce bot evasion |
| 2.0.4 | Permissions overhaul: explicit can() checks on 14 admin controllers |
| 2.0.4 | Login-gated comments with rate limiting (5 per user per 10 minutes) |
| 2.0.4 | hCaptcha spam protection on comment and contact forms |
| 2.0.4 | Revisions: authors restricted to own post revisions only |
| 2.0.4 | Delete remember tokens on user ban to prevent cookie re-auth |
| 2.0.4 | Site owner protected from modification/deletion by non-owners |
| 2.0.2 | Marketplace ZIP installs: download URL restricted to pubvana.net; ZIP entries checked for path traversal |
| 2.0.2 | WordPress importer: switched to LIBXML_NONET to block XXE network fetches |
| 2.0.2 | User profile IDOR: profile and saveProfile now verify ownership or users.manage permission |
| 2.0.2 | Theme options: options and saveOptions now require admin.themes permission |
| 2.0.2 | Navigation: store, delete, reorder now require admin.navigation permission |
| 2.0.2 | Settings .env writer: key whitelist prevents arbitrary env key injection |
| 2.0.2 | Post list status filter validated against whitelist before use in query |
| 2.0.2 | Comment parent_id validated against same post to prevent cross-post injection |
| 2.0.2 | RSS feed: ]]> escaped inside CDATA sections |
| 2.0.2 | WordPress import: 50 MB file size limit to prevent DoS via XML parse |
Bug Reports & Feature Requests
Please use the Issues Tracker.
Links
pubvana.net — Home & Addon Store (Themes, Widgets, and other Addons)
License
Pubvana is released under the MIT Open Source License.
Contributors
- Enliven Applications
Translations
Translators Wanted!
Pubvana ships with 6 languages: English (source), Spanish (Latin American), French, Indonesian, Portuguese, and Slovak. French, Slovak, Indonesian, and Portuguese are partially AI-translated and need verification from native speakers.
If you would like to help verify or add translations, please fork this repo and send a PR.
Many Thanks to the folks who've provided translation. It is very apprciated.
- French — Paul DUBOT, Léonard GAURIAU, Clément TRASSOUDAINE, Jean-Baptiste VALLADEAU, Rhagngahr
- Indonesian — Suhindra
- Portuguese — Samuel Fontebasso
- Slovak — Kristián Feldsam
Roadmap / Todo
Pubvana Core
Built-in Widgets
- Recent Posts
- Tag Cloud
- Categories List
- Archive List
- Search Form
- Social Links
- Text Block
- Recent Comments
- Table of Contents
- Related Posts
Platform Features
- Author Profiles & Bio Card
- Social OAuth Login (Google, Facebook)
- Social Auto-Share on Publish (Twitter, Facebook)
- Marketplace API with cache + refresh
- WordPress Importer (admin UI +
php spark wp:importCLI) - Post Revision History
- Maintenance Mode toggle
- Core update notifications +
php spark pubvana:updateCLI - Content Preview Links (shareable draft URLs)
- Bulk Post Actions (publish / unpublish / delete many)
- Schema.org Markup (Article, BreadcrumbList, Author JSON-LD)
- Image WebP Auto-Convert on Upload
- Multi-language Support (22 languages, admin enable/disable,
{locale}URL routing,lang()throughout views) - Honeypot Spam Protection (CI4 built-in filter on comment + contact forms)
- Atom 1.0 Feed (
/atomalongside existing RSS) - Email Notifications / Subscriptions (subscribe to new posts, email verification, unsubscribe)
- Links Manager / Blogroll (display a curated list of external links via widget)
Pubvana Premium
Premium Core Features (pubvana.net — license required)
- Scheduled Post Queue (calendar view)
- Content Analytics (page views, popular posts, referrers)
- Advanced SEO (OG image generation, schema breadcrumbs, news sitemap)
- Two-Factor Authentication (TOTP)
- Backup & Export (DB + uploads zip)
- Membership / Paywalled Posts
- Affiliate Link Manager (
/go/short links + click tracking) - Broken Link Checker
- Activity / Audit Log
Premium Widgets (pubvana.net/store)
- Author Bio (sidebar)
- Ad Unit / Custom HTML
- Social Follow Buttons
- Tip Jar / Per-post donations
- Reading Progress Bar
- Enhanced Search (AJAX live preview)
- Email Opt-in / Lead Capture
- Countdown Timer
- Advanced Login
- Gallery (masonry + lightbox)
- Google Calendar & Maps
- YouTube Channel Feed
Premium Plugins (pubvana.net/store)
- E-commerce (products, cart, checkout, orders)