You would need to configure this at the server level: Bedrock can’t really control this. Wordpress runs in your server’s public folder, therefore the files it needs (ie themes) are publicly accessible. For instance, images in your themes must have a publicly accessible url or they can’t be accessed by visitors.
I require the use of some npm packages on the theme im playing around with and from the documentation I read/videos people npm init directly into their theme folder directory rather than the wordpress root folder, now I can resrtict the access to .php files with if (!defined('ABSPATH')) { exit; }, but how do I do the same for my package.json, webpack, tailwind.config.js, etc?
Do I add a .htaccess file and add them one by one?
You can use this .htaccess snippet to disable direct access to blade files.
# BEGIN Disable Access to Blade
<FilesMatch ".+\.(blade\.php)$">
<IfModule mod_authz_core.c>
# Apache 2.4
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Deny from all
</IfModule>
</FilesMatch>
# END Disable Access to Blade
Files associated with the build process are not required in production because the build process is executed locally to generate files to be deployed.
Yes, if you want your server to deny visitors access to a file they would normally have access to, you must instruct the server to do so. Unless you have files that contain sensitive information, on most PHP servers I don’t think there’s a huge necessity to prevent access to, say, tailwind.config.js–it can’t execute anything on the server so it doesn’t really present a security risk.