GUESTBOOKIT SECURITY HARDENING — what changed and what YOU must do
==================================================================

PART A — CODE CHANGES IN THIS ZIP (deploy by extracting at public_html/)
-----------------------------------------------------------------------
1. guestbookit.com/partner/profile.php
   guestbookit.com/admin/partner-edit.php
   - These were the ONLY two upload handlers using raw move_uploaded_file()
     instead of the hardened Upload class. Both now route through
     Upload::saveImage(), which enforces: is_uploaded_file() check,
     finfo MIME detection, a randomly generated hex filename, and a
     whitelist-only extension. No upload in the app uses a raw path now.

2. guestbookit.com/uploads/.htaccess  (hardened)
   - Blocks ALL script execution in the uploads tree (php/phtml/phar/cgi/
     pl/py/etc.), turns the PHP engine off, serves any such file as plain
     text, and rejects non-GET/HEAD methods. Even if a malicious file
     lands here, it cannot run.

3. guestbookit_project/.htaccess  (hardened)
   - Denies ALL web access to the private code/vendor/config tree, and
     disables PHP execution there too.

4. guestbookit.com/_bootstrap.php
   - Now auto-locates guestbookit_project/ whether it sits ABOVE the web
     root (preferred, secure) or as a sibling (legacy). This lets you do
     the relocation in PART B without breaking anything.

PART B — SERVER STEPS YOU MUST DO MANUALLY (the real fix)
---------------------------------------------------------
The exposed vendor/ directory was the likely entry vector. .htaccess
alone did not protect it (bots crawled it), which means either AllowOverride
was off or the file was removed by malware. The reliable fix is to move the
private project ABOVE the web root so it is physically unreachable:

  # 1. Move the private project above the web root:
  mv /home/bigsness/public_html/guestbookit_project /home/bigsness/guestbookit_project

  # 2. The updated _bootstrap.php will find it there automatically.
  #    Verify the site loads, then confirm these all return 403/404:
  #      https://guestbookit.com/guestbookit_project/vendor/autoload.php
  #      https://guestbookit.com/guestbookit_project/config/config.php

  # 3. Confirm PHP cannot execute in uploads:
  #      Put a test file uploads/test.php containing <?php echo 'X';
  #      Visit https://guestbookit.com/uploads/test.php
  #      It must NOT print X (should download/403/plain-text). Delete after.

  # 4. Ensure Apache honors .htaccess for this docroot:
  #      AllowOverride All   (in the vhost/Directory block)
  #    If AllowOverride is None, .htaccess files are IGNORED — which would
  #    explain the original vendor exposure. This MUST be All (or at least
  #    permit Limit/FileInfo/AuthConfig). Confirm with your host.

PART C — STILL REQUIRED (not code; do before going live)
--------------------------------------------------------
- Rotate ALL credentials (DB, Stripe, AWS, cPanel/SSH/FTP). A year-long
  backdoor with file read means config secrets were exposed the whole time.
- Confirm the server is fully clean (the earlier cleanup missed backdoors).
- Identify the entry point with your host so it cannot recur.