Roots Discourse

Bedrock - prevent direct access to theme files


I am quite new to wordpress and find it amazing to have the ability to use vue on it.

Now I am experiencing a little problem, all the files in my theme folder are accessible via direct link.
How can I prevent that?

Even if I set the ENV to production, they are still directly accessible.

You would need to configure this at the server level: Bedrock can’t really control this. Wordpress runs in your server’s public folder, therefore the files it needs (ie themes) are publicly accessible. For instance, images in your themes must have a publicly accessible url or they can’t be accessed by visitors.

Some suggestions are available around the forum on how to configure your server, ie here: How are you deploying this so that the vendor folder isn't exposed to the public?

thank you for your reply @alwaysblank ,

I require the use of some npm packages on the theme im playing around with and from the documentation I read/videos people npm init directly into their theme folder directory rather than the wordpress root folder, now I can resrtict the access to .php files with if (!defined('ABSPATH')) { exit; }, but how do I do the same for my package.json, webpack, tailwind.config.js, etc?

Do I add a .htaccess file and add them one by one?

You can use this .htaccess snippet to disable direct access to blade files.

# BEGIN Disable Access to Blade
<FilesMatch ".+\.(blade\.php)$">
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require all denied
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order deny,allow
        Deny from all
# END Disable Access to Blade

Files associated with the build process are not required in production because the build process is executed locally to generate files to be deployed.

Yes, if you want your server to deny visitors access to a file they would normally have access to, you must instruct the server to do so. Unless you have files that contain sensitive information, on most PHP servers I don’t think there’s a huge necessity to prevent access to, say, tailwind.config.js–it can’t execute anything on the server so it doesn’t really present a security risk.