3 releases 6 tags

RSS feed

• 1.0.2 675c2fddfe

  Compare

  1.0.2 Stable

  eric released this 2026-06-27 15:40:13 -07:00 | 0 commits to main since this release

  What's Changed

  Security

  • Removed non-standard X-Host header from trusted-proxy mode. When MULTI_DOMAIN_REDUX_TRUST_PROXY=true, only X-Forwarded-Host (RFC 7239) is now honored. The non-standard X-Host header is not set by any common reverse proxy (nginx, Apache, HAProxy, Caddy), but trusting it allowed an unauthenticated caller to inject a configured hostname via a header operators would not think to strip at the proxy layer.

  Fixed

  • ContentRewriter now rewrites URLs with explicit port numbers. URLs like https://example.com:8080/path embedded in post or comment content were previously skipped. The port is consumed and discarded; the rewritten URL uses the target host on its default port.

  Documentation

  • Trusted-proxy mode: documented that the reverse proxy must strip X-Forwarded-Host from inbound client requests and inject it only server-side, with an nginx example. Explicitly listed which headers are honored (X-Forwarded-Host, X-Forwarded-Proto only).
  • Hreflang: documented that hosts with no locale set are excluded from hreflang output — the built-in per-host opt-out for hosts you don't want advertised (e.g. a quiet Tor onion mirror).
  • Host configuration: documented that every configured host is added to the WordPress safe-redirect allowlist; only add hostnames you own and control.

  ---

  Full changelog: CHANGELOG.md

  Downloads

  • Source code (ZIP)
    0 downloads
  • Source code (TAR.GZ)
    0 downloads

  ---

  • multi-domain-redux.1.0.2.zip
    0 downloads · 2026-06-27 15:40:09 -07:00 · 38 KiB
• 1.0.1 c44d8f96e4

  Compare

  1.0.1 Stable

  eric released this 2026-06-25 23:23:21 -07:00 | 15 commits to main since this release

  Multi-Domain Redux 1.0.1

  Patch release. Upgrade immediately if running 1.0.0.

  Fixed

  • Blank post and comment content. With the plugin active, post bodies
    rendered empty and comment pages returned a server error. ContentRewriter's
    inline-URL regex used # as its delimiter while the boundary character class
    also contained a literal #, which closed the pattern early — preg_replace()
    failed to compile and returned null, blanking the content. The delimiter is
    now ~. URL rewriting in links, menus, and assets was unaffected.

  Added a ContentRewriter regression test covering this case, the
  protocol-relative form, and suffix-domain boundaries (example.com.evil.com
  stays untouched).

  No configuration changes. Download multi-domain-redux.1.0.1.zip and upload via
  Plugins → Add New → Upload Plugin to replace 1.0.0.

  Downloads

  • Source code (ZIP)
    0 downloads
  • Source code (TAR.GZ)
    0 downloads

  ---

  • multi-domain-redux.1.0.1.zip
    0 downloads · 2026-06-26 18:18:45 -07:00 · 36 KiB
• 1.0.0 6847c6a841

  Compare

  1.0.0 Pre-release

  eric released this 2026-06-25 23:08:48 -07:00 | 16 commits to main since this release

  Multi-Domain Redux 1.0.0

  First stable release. Multi-Domain Redux is a ground-up reimplementation of the
  Multiple Domain plugin (originally by Gustavo Straube, later handed to goINPUT
  and moved to the wordpress.org SVN). The original solved a real problem - serving
  one WordPress install across several domains and rewriting emitted links so a
  visitor stays on the domain they arrived on - but its published baseline targets
  WordPress 4.0–5.2.4 and ships under GPLv2, and the request-handling it relies on
  predates the trust-boundary and Tor-onion concerns this rewrite was built for.

  Rather than retrofit an aging codebase, the functionality was rebuilt from scratch
  on a modern platform with security-first request handling. Multi-Domain Redux is
  not backward-compatible with Multiple Domain - it shares no constant, option,
  or shortcode names, and is distributed self-hosted, not via wordpress.org.

  What carries over from Multiple Domain

  • Serve one WordPress install on multiple hostnames; rewrite every emitted URL to
    the host the visitor arrived on, so navigation stays end-to-end on one domain.
  • Optional per-host base path to scope a host to a subset of URLs.
  • Per-host language → SEO <link rel="alternate" hreflang="..."> tags.

  What's new in the rewrite

  • Modern platform baseline. PHP 8.2+ and WordPress 6.4+, with
    declare(strict_types=1), typed properties, and PSR-4 autoloading.
    (Multiple Domain's published baseline is WP 4.0 / tested to 5.2.4.)
  • GPL-3.0-or-later (up from GPLv2).
  • Explicit host trust boundary. X-Forwarded-Host / X-Forwarded-Proto are
    honored only when MULTI_DOMAIN_REDUX_TRUST_PROXY is true; an unmatched
    or spoofed Host falls back to the configured primary host instead of being
    trusted.
  • Tor v3 onion support. Onion hosts always emit over http, with a documented
    nginx + trusted-proxy reverse-proxy recipe.
  • RedirectGuard covers wp_redirect, redirect_canonical, and
    allowed_redirect_hosts, so login, post-save, and canonical redirects don't
    bounce a visitor off the host (or off Tor) they came in on.
  • [multi_domain_redux] shortcode - outputs the current resolved host.
  • Test suite (Brain Monkey unit + wp-env integration) and CI on PHP 8.2–8.5.

  Requirements & performance

  Multi-Domain Redux targets PHP 8.2+ and WordPress 6.4+.

  Its per-request overhead is under a millisecond and statistically
  indistinguishable from the plugin it replaces — page render time dominates,
  not the plugin layer. Measured on a single wp-env install (PHP 8.5, 200
  requests per cell, median time-to-last-byte over loopback with the domain
  host forged):

  Configuration	Front page /	Single post /?p=1
  No multi-domain plugin	23.8 ms	27.5 ms
  Multi-Domain Redux	24.4 ms	27.8 ms
  Multiple Domain (legacy)	24.5 ms	27.9 ms

  Both plugins land within ~1 ms of running no plugin at all, and within ~0.1 ms
  of each other — effectively native speed. If you're migrating from an older
  install and the site feels snappier, that gain comes from running on a modern
  PHP version, not from the plugin itself.

  Security hardening (this release)

  • Hreflang reflection removed. HreflangEmitter emits only the request path;
    the attacker-controllable query string is no longer reflected into the
    alternate-host <link> tags rendered on every front-end page.
  • Stricter host parsing. HostHeader::normalize() rejects host candidates
    containing @ or /, so values like http://evil.com or user:pass@host
    can't collapse to a bogus hostname label.

  Requirements

  • WordPress 6.4+
  • PHP 8.2+

  Install

  Download multi-domain-redux.1.0.0.zip below and install via
  Plugins → Add New → Upload Plugin, or extract into wp-content/plugins/.
  Updates are served from this releases page; the plugin opts out of
  wordpress.org update checks via its Update URI header.

  Migrating from Multiple Domain

  There is no automatic migration. Multi-Domain Redux uses its own option and
  constant names (multi_domain_redux_*, MULTI_DOMAIN_REDUX_*) and its own
  shortcode, so it runs independently - deactivate Multiple Domain and re-enter
  your hosts under Settings → Multi-Domain Redux.

  Downloads

  • Source code (ZIP)
    0 downloads
  • Source code (TAR.GZ)
    0 downloads

  ---

  • multi-domain-redux.1.0.0.zip
    0 downloads · 2026-06-25 22:57:57 -07:00 · 38 KiB