Maintained by: Archis Gore

This is a specialized WordPress Docker image built on Encrypted-Execution PHP, providing parser-level protection through symbol scrambling while maintaining full WordPress compatibility.

Based on Docker Official WordPress Image

This repository is based on the Docker Official WordPress Image maintained by the Docker Community. We extend our sincere thanks and credit to the Docker Community for creating and maintaining the excellent base WordPress image that this project builds upon.

Upstream Repository: https://github.com/docker-library/wordpress

What Makes This Different?

This WordPress image uses Encrypted-Execution PHP, which provides:

• Symbol Scrambling: PHP keywords and symbols can be scrambled at the parser level
• Parser-Level Protection: Makes PHP source code significantly harder to reverse engineer
• Full Compatibility: WordPress runs normally with all features intact
• WordPress Extensions: Pre-compiled with all required WordPress PHP extensions
  • mysqli, pdo_mysql (database)
  • gd (image manipulation with avif, freetype, jpeg, webp)
  • intl (internationalization)
  • bcmath (precision math)
  • exif (image metadata)
  • zip (plugin/theme installation)
  • imagick (advanced image processing)

Quick Start

Basic Usage (Non-Scrambled Mode)

docker pull ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

docker run -d \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

With MySQL Database

docker network create wordpress-net

# Start MySQL
docker run -d \
  --name mysql \
  --network wordpress-net \
  -e MYSQL_ROOT_PASSWORD=rootpass \
  -e MYSQL_DATABASE=wordpress \
  -e MYSQL_USER=wordpress \
  -e MYSQL_PASSWORD=password \
  -v mysql-data:/var/lib/mysql \
  mysql:8.0

# Start WordPress (non-scrambled mode)
docker run -d \
  --name wordpress \
  --network wordpress-net \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

Visit http://localhost:8080 to complete WordPress installation.

Persistent Storage

WordPress files and uploads need persistent storage for production use.

Important: WordPress Mount Point

WordPress files should be mounted at /wordpress in the container. The container will handle symlinking or copying files to /var/www/html (Apache's document root) based on the SCRAMBLE_ON_START setting:

• When SCRAMBLE_ON_START=false: Creates a symlink from /var/www/html to /wordpress (files remain unmodified)
• When SCRAMBLE_ON_START=true: Deep-copies /wordpress to /var/www/html and scrambles all PHP files (original files in /wordpress remain untouched)

Auto-Populate WordPress Files (Recommended)

Mount an empty directory or Docker volume at /wordpress and WordPress will automatically populate it with default files on first startup:

# Using a Docker volume (recommended)
docker volume create wordpress-files

docker run -d \
  --name wordpress \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v wordpress-files:/wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

# Or using a host directory
mkdir -p ./wordpress-data

docker run -d \
  --name wordpress \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v ./wordpress-data:/wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

What happens on first startup:

• The container detects the empty /wordpress directory
• WordPress core files are automatically copied from /usr/src/wordpress
• Your mounted directory is now populated and ready to use
• Subsequent restarts reuse existing files (no re-copy)
• Based on SCRAMBLE_ON_START, files are either symlinked or copied to /var/www/html

Mount Existing WordPress Installation

To use your own existing WordPress installation:

docker run -d \
  --name wordpress \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v /path/to/your/wordpress:/wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

Mount Specific Directories

For more granular control, mount individual directories:

docker run -d \
  --name wordpress \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v wordpress-files:/wordpress \
  -v wordpress-plugins:/wordpress/wp-content/plugins \
  -v wordpress-themes:/wordpress/wp-content/themes \
  -v wordpress-uploads:/wordpress/wp-content/uploads \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

Complete Production Example with Persistent Storage

# Create network
docker network create wordpress-net

# Create volumes for persistence
docker volume create mysql-data
docker volume create wordpress-files

# Start MySQL with persistent storage
docker run -d \
  --name mysql \
  --network wordpress-net \
  -e MYSQL_ROOT_PASSWORD=rootpass \
  -e MYSQL_DATABASE=wordpress \
  -e MYSQL_USER=wordpress \
  -e MYSQL_PASSWORD=password \
  -v mysql-data:/var/lib/mysql \
  mysql:8.0

# Start WordPress with persistent storage (non-scrambled)
docker run -d \
  --name wordpress \
  --network wordpress-net \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v wordpress-files:/wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

Encryption Modes

Non-Scrambled Mode (Default)

Runs with standard PHP (vanilla mode) - recommended for development and when you don't need encryption:

docker run -d \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=false \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v wordpress-files:/wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

Scrambled Mode

Runs with encrypted/scrambled PHP for enhanced protection - use in production for source code protection:

docker run -d \
  -p 8080:80 \
  -e SCRAMBLE_ON_START=true \
  -e WORDPRESS_DB_HOST=mysql \
  -e WORDPRESS_DB_USER=wordpress \
  -e WORDPRESS_DB_PASSWORD=password \
  -e WORDPRESS_DB_NAME=wordpress \
  -v wordpress-files:/wordpress \
  ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest

Important Notes:

• When SCRAMBLE_ON_START=true, WordPress files are deep-copied from /wordpress to /var/www/html and all PHP files are scrambled
• Original files in /wordpress remain untouched and readable
• Scrambling replaces PHP keywords in the source code with scrambled equivalents
• PHP execution uses the scrambled parser for additional protection
• When SCRAMBLE_ON_START=false, files are symlinked (no copying or scrambling)
• Performance impact is minimal
• Switch between modes by changing SCRAMBLE_ON_START value and restarting the container

⚠️ CRITICAL SECURITY REQUIREMENT:

• When SCRAMBLE_ON_START=true, the scrambling dictionary (/var/lib/encrypted-execution/token-map.json) MUST exist
• If the dictionary is missing, the container will FAIL TO START with an error
• This is a fail-fast security mechanism to prevent running unscrambled code when scrambling is expected
• The container logs will show: ERROR: SCRAMBLE_ON_START is enabled but dictionary file not found
• This is intentional - if you expect scrambling but it's not happening, that's a critical security failure

Architecture

This image uses a layered architecture:

1. Base: encrypted-php8.5-apache-debian - Core PHP with encryption support
2. WordPress PHP Base: wordpress-php8.5-apache - Adds WordPress extensions
3. WordPress: Adds WordPress 6.9 and configuration

Supported Versions

• WordPress: 6.9
• PHP: 8.5.2
• Variants: Apache only (PHP 8.5)

Building from Source

Prerequisites

# Clone the repository
git clone https://github.com/encrypted-execution/wordpress.git
cd wordpress

Build WordPress PHP Base Image

cd wordpress-php-base
./build.sh

# Or manually:
docker build -t ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest .

Build WordPress Image

cd latest/php8.5/apache
docker build -t wordpress-encrypted:latest .

Testing

Using Docker Compose

The repository includes a docker-compose.yml for testing:

cd test
docker compose up

# Visit http://localhost:8080

Example docker-compose.yml

services:
  wordpress:
    image: ghcr.io/encrypted-execution/encrypted-wordpress-php8.5-apache:latest
    ports:
      - "8080:80"
    environment:
      SCRAMBLE_ON_START: "false"  # Set to "true" for encrypted mode
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
      WORDPRESS_DB_NAME: wordpress
    volumes:
      - wordpress_data:/wordpress
    depends_on:
      - db
    networks:
      - wordpress_network

  db:
    image: mysql:8.0
    environment:
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress
      MYSQL_ROOT_PASSWORD: rootpassword
    volumes:
      - db_data:/var/lib/mysql
    networks:
      - wordpress_network

volumes:
  wordpress_data:
  db_data:

networks:
  wordpress_network:
    driver: bridge

Test with Scrambling Enabled

To test with encrypted PHP, change the environment variable:

services:
  wordpress:
    environment:
      SCRAMBLE_ON_START: "true"  # Enable encryption

Or use environment file:

# .env file
SCRAMBLE_ON_START=true
WORDPRESS_DB_HOST=db
WORDPRESS_DB_USER=wordpress
WORDPRESS_DB_PASSWORD=wordpress
WORDPRESS_DB_NAME=wordpress

Then reference in docker-compose.yml:

services:
  wordpress:
    env_file: .env
    volumes:
      - wordpress_data:/wordpress

Environment Variables

WordPress Configuration

Standard WordPress environment variables are supported:

• WORDPRESS_DB_HOST - MySQL host (default: mysql)
• WORDPRESS_DB_USER - MySQL user
• WORDPRESS_DB_PASSWORD - MySQL password
• WORDPRESS_DB_NAME - MySQL database name
• WORDPRESS_TABLE_PREFIX - Table prefix (default: wp_)
• WORDPRESS_DEBUG - Enable debug mode (default: empty/disabled)
• WORDPRESS_CONFIG_EXTRA - Additional PHP configuration

Encrypted-Execution Settings

• SCRAMBLE_ON_START - Enable PHP symbol scrambling (true/false, default: false)

Documentation

• SOLUTION.md - Implementation details and architecture
• TESTING_STATUS.md - Testing documentation and results
• ACTION_PLAN.md - Development planning and roadmap

Repository Structure

wordpress/
├── wordpress-php-base/          # WordPress PHP base image with extensions
│   ├── Dockerfile
│   └── build.sh
├── latest/php8.5/apache/        # WordPress 6.9 image
├── beta/php8.5/apache/          # Beta WordPress image
├── Dockerfile.template          # Template for generating Dockerfiles
├── versions.json                # Version configuration
├── apply-templates.sh           # Dockerfile generator
└── test/                        # Testing setup
    └── docker-compose.yml

Contributing

This is a specialized fork for encrypted-execution. For contributions:

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Submit a pull request

For issues with the base WordPress functionality, please refer to the upstream Docker WordPress repository.

For issues specific to encrypted-execution integration, please open an issue in this repository.

Credits

Maintainer

Archis Gore

• GitHub: @archisgore
• Repository: encrypted-execution/wordpress

Acknowledgments

This project builds upon the excellent work of:

• Docker Community - For creating and maintaining the Docker Official WordPress Image
• WordPress Community - For the amazing WordPress CMS
• PHP Community - For the PHP language and ecosystem

We are grateful for the solid foundation provided by these communities, which made this encrypted-execution variant possible.

License

This project inherits the license from the upstream Docker WordPress repository.

The encrypted-execution modifications are maintained separately and are subject to their own licensing terms.

Links

• This Repository: https://github.com/encrypted-execution/wordpress
• Encrypted-Execution PHP: https://github.com/encrypted-execution/php
• Upstream WordPress Image: https://github.com/docker-library/wordpress
• WordPress: https://wordpress.org
• Docker Hub (Upstream): https://hub.docker.com/_/wordpress/

Support

For support with:

• Encrypted-execution features: Open an issue in this repository
• WordPress functionality: Refer to WordPress Support
• Docker base image: Refer to Docker WordPress Issues

Note: This is a specialized WordPress image for encrypted-execution use cases. For standard WordPress deployments, we recommend using the official WordPress Docker image.