A complete, secure, and modern registration portal for World of Warcraft: Mists of Pandaria (5.4.8) private servers. Built for TrinityCore-based cores (including repacks).

• Features
• Preview
  • Home Page
  • User Dashboard
  • Admin Dashboard - Overview
  • Admin Dashboard - Accounts
  • Admin Dashboard - Tickets
• Quick Start
• One-Click Installer
• Release Packaging For The Installer
• Requirements
  • Recommended: XAMPP
  • PHP Extensions
• Installation
  • 1. Download
  • 2. Configure
  • 3. Database Setup
  • 4. Feature Flags
  • 5. Social Links & Content
  • 6. Dependencies
  • 7. Enable mod_rewrite
• Admin Dashboard
• Customization
  • Changing Text and Labels
  • Replacing Images and Logo
• Project Structure
• Security Notes
• Troubleshooting
• License

• 🔒 Security — CSRF tokens, Google reCAPTCHA v2, PDO prepared statements, PHP-execution blocking on uploads
• 🛡️ Rate Limiting — Automatic lockout after failed login attempts (configurable)
• 🗝️ Auth — SHA-1 password hashing matching the TrinityCore format
• 📧 Email — SMTP password recovery and ticket notifications via PHPMailer
• 📊 Live Stats — Real-time server status, player counts, and animated counters
• 🌍 Multilingual — English and Spanish included; easy to add more
• 🎨 Modern UI — Dark gaming theme, Bootstrap 5, responsive design
• ⚙️ Feature Flags — Toggle tickets, password recovery, reCAPTCHA, and maintenance mode from config
• 🧑‍💼 Admin Dashboard — Account management, ban/unban, ticket management, audit log, character lookup, IP bans, email broadcast
• 🎫 Ticket System — Database-stored support tickets with admin replies, status tracking, and user history
• 📰 News & FAQ — Configurable news section and FAQ accordion on the home page
• 🗳️ Vote System — Vote site links on the user dashboard (configurable)
• 🔗 Social Links — Discord, YouTube, X (Twitter), Instagram — each individually toggleable

# 1. Install XAMPP — https://www.apachefriends.org/
# 2. Serve this project from your Apache web root or a dedicated VirtualHost/Alias
#    Do not run it from a subfolder such as /wow-legends without remapping DocumentRoot

# 3. Copy the sample config
copy config.sample.php config.php

# 4. Edit config.php with your DB credentials, realm info, site base URL, reCAPTCHA keys, etc.

# 5. Install PHP dependencies
composer install

# 6. Run the SQL setup (see Database Setup section below)

# 7. Start Apache from the XAMPP Control Panel (your repack already runs its own MySQL)

# 8. Visit the URL configured in config.php, for example http://localhost/

Windows users can bootstrap a guided installer with PowerShell:

Open PowerShell as Administrator, then run:

irm "https://raw.githubusercontent.com/timoinglin/wow-mop-registration/main/install.ps1" | iex

Before running it, make sure your WoW repack is already installed and its database server is already running. The installer sets up the website and local web server; it does not install or start the repack itself.

If you do not already have a repack, you can get one from EmuCoach.

What the installer does:

1. Checks that it is running as Administrator.
2. Shows the prerequisites and asks whether to continue before making any changes.
3. Checks whether XAMPP already exists and lets you choose whether to reuse it or stop.
4. Installs XAMPP 8.2 with winget when needed.
5. Downloads the latest prepared release ZIP and deploys it into C:\xampp\htdocs\.
6. Enables the required PHP extensions in XAMPP's php.ini.
7. Creates config.php from config.sample.php with safe defaults.
8. Prompts for database credentials, validates the MySQL server connection, verifies that the entered auth/characters database names exist, and offers to import sql/setup.sql.
9. Starts Apache and opens http://localhost/.

The installer intentionally disables advanced features in the generated config.php so the site can come up cleanly on first run:

• recaptcha
• recover_password
• tickets

It also sets site.base_url to http://localhost and leaves social/client links empty.

After the installer finishes, open config.php and add your reCAPTCHA keys and SMTP settings before enabling those features.

The easiest way to run this project is with XAMPP, which bundles Apache and PHP in a single installer. Your repack already provides its own MySQL database, so you only need XAMPP for the web server.

The following extensions must be enabled in php.ini. In XAMPP, open C:\xampp\php\php.ini, search for each extension, remove the leading ; to uncomment it, then restart Apache.

Clone the repo or download the ZIP, then serve it from your Apache site root:

C:\xampp\htdocs\

Copy config.sample.php to config.php:

config.sample.php  →  config.php

Open config.php and set:

Open phpMyAdmin (your repack's DB manager), select the auth database, go to the SQL tab, and run the contents of sql/setup.sql:

-- This creates 3 tables:
-- 1. password_resets  — for password recovery
-- 2. tickets          — for the support ticket system
-- 3. admin_audit_log  — for tracking admin actions

-- Compatible with MySQL 5.5.9+
-- See sql/setup.sql for the full script

You can also run it from the command line:

mysql -u root -pascent auth < sql/setup.sql

The script uses CREATE TABLE IF NOT EXISTS, so it's safe to run multiple times.

The features block in config.php lets you toggle features without touching code:

'features' => [
    'recaptcha'        => true,   // reCAPTCHA on all forms
    'recover_password' => true,   // Password recovery via email
    'tickets'          => true,   // Support ticket system
    'maintenance'      => false,  // Maintenance mode (GMs can still log in)
],

// Brute-force lockout settings (file-based, no DB table needed)
'security' => [
    'max_login_attempts' => 5,   // Failed attempts before lockout
    'lockout_minutes'    => 15,  // Duration of lockout in minutes
],

// Message shown during maintenance
'maintenance_message' => 'The server is currently under maintenance.',

Social links appear in the hero section and footer. Set to empty string '' to hide any link:

'social' => [
    'discord'   => 'https://discord.gg/your-invite',
    'youtube'   => '',   // hidden when empty
    'twitter'   => '',
    'instagram' => '',
],

News entries and FAQ items are also configured in config.php:

'news' => [
    ['title' => 'Server Launch!', 'date' => '2026-03-02', 'text' => 'We are live!', 'icon' => 'bi-megaphone'],
],

'faq' => [
    ['q' => 'Is it free to play?', 'a' => 'Yes, 100% free.'],
],

'vote_sites' => [
    ['name' => 'TopG', 'url' => 'https://topg.org/...', 'cooldown_hours' => 12],
],

Run Composer after a normal clone:

composer install

vendor/ is ignored by Git in this repo, so a fresh clone will not contain PHPMailer until Composer installs it. If you received a packaged copy that already includes vendor/, you can skip this step.

Pretty URLs (/login, /register) require Apache's mod_rewrite:

1. Open C:\xampp\apache\conf\httpd.conf
2. Find and uncomment: LoadModule rewrite_module modules/mod_rewrite.so
3. Find your <Directory> block and set AllowOverride All
4. Restart Apache

Accessible at /admin_dashboard for accounts with GM level ≥ 9.

All admin actions are logged to the admin_audit_log table automatically.

All user-facing text is in the lang/ folder:

lang/
├── en.php   ← English
└── es.php   ← Spanish

Edit the key-value pairs to change any text on the site:

// lang/en.php
'welcome'    => 'Welcome to WoW Legends',
'index_lead' => 'Join our MoP private server!',

Adding a new language:

1. Copy lang/en.php to e.g. lang/de.php
2. Translate all values
3. Add the new option to the language dropdown in templates/header.php

All images are stored in assets/img/:

wow-legends/
├── .htaccess             ← URL rewriting and basic hardening
├── .gitignore
├── assets/
│   ├── css/              ← style.css
│   └── img/              ← logos, backgrounds, race/class icons, screenshots
├── cache/
│   ├── login_history/    ← Per-user login history JSON files
│   └── rate_limit/       ← File-based login throttling data
├── includes/
│   ├── audit.php         ← Admin audit log helper
│   ├── auth.php          ← Password hashing, IP detection
│   ├── csrf.php          ← CSRF token generation/validation
│   ├── db.php            ← Database connections
│   ├── email.php         ← PHPMailer send functions
│   ├── functions.php     ← Backward-compat loader
│   ├── helpers.php       ← WoW helpers (format playtime, gold, race/class names)
│   ├── lang.php          ← Language loader
│   ├── login_history.php ← File-based login history helper
│   ├── rate_limiter.php  ← File-based brute-force protection
│   └── recaptcha.php     ← reCAPTCHA verification (respects feature flag)
├── lang/                 ← Language files (en.php, es.php)
├── pages/
│   ├── admin_api.php     ← AJAX API for admin actions
│   ├── admin_dashboard.php
│   ├── change_password.php
│   ├── dashboard.php
│   ├── login.php
│   ├── logout.php
│   ├── recover.php
│   ├── register.php
│   ├── reset_password.php
│   └── tickets.php
├── sql/
│   └── setup.sql         ← Required tables (tickets, audit log, password resets)
├── templates/            ← header.php and footer.php
├── uploads/
│   ├── .htaccess         ← Blocks PHP execution in uploads
│   └── tickets/          ← Ticket attachments
├── config.php            ← Your config (gitignored)
├── config.sample.php     ← Safe template to commit
├── favicon.ico
└── index.php             ← Homepage / router

• config.php is in .gitignore — never commit it
• The uploads/ folder has a .htaccess that blocks PHP execution
• All forms use CSRF tokens
• All DB queries use PDO prepared statements
• Directory listing is disabled via Options -Indexes
• Rate limiting protects login from brute-force attacks
• Admin actions are logged to admin_audit_log with IP, timestamp, and details

This project is licensed under the MIT License.