I’ve been taking a look at the modern WP development approaches using Composer and so on, for example Bedrock or WordPress-Skeleton.
I’m trying to adapt these approaches ad create my own WP boilerplate, so I ended up with a project structure like this:
my_project
|
--app <-- custom wp-content folder
| |
| --mu-plugins
| --plugins
| --themes
|
--vendor <-- folder for composer packages
| |
| ...
|
--wp <-- WordPress core folder
| |
| ...
|
|--composer.json
|--composer.lock
|--index.php
|--wp-config-local.php
|--wp-config.php
Everything works fine so far, but the problem is that I have to set my_project as the web root folder, so that an user can go to http:/my-project/vendor, for example, and see all my vendor packages, which I think it’s not good…
So, is there any way to set some .htaccess file or configure the virtual host in such a way that I can use that folder structure but do not allow anybody to access all those files and folders that are not absolutely necessary?
I’m not sure exactly what you mean by
so I’ll give you a few options.
If the vendor packages are supposed to be completely private you can make it forbidden:
If you want to whitelist an IP you might be using:
If you just want to prevent a listing of the files in /vendor
Late on this but Bedrock recently took the better approach of separating out only what’s needing into a
web/
directory. See here: https://github.com/roots/bedrock/pull/32That way you can set your virtual host document root to
/path/to/site/web/
and not have to worry about manually blocking access to various folders/configs.