Is Bedrock's measure to not allow ability for plugins and themes to be added a security measure?

Hello everyone,

I’m somewhat new to the Bedrock setup and I was reading the following on Bedrock’s homepage:

“By default, Bedrock disables the ability for plugins and themes to be added, removed, or modified on non-development environments.”

Does this measure exist mainly to prevent that environments installed plugins and themes get out of sync, or is it also a security measure as there is simply no way to install a plugin? I was wondering for instance if this also prevents any installation of files if a website would be entered by brute force.

Thanks for you time.

Howdy! Bedrock is inspired by 12 factor app methodology, and this specifically is more about the dev/prod parity and dependency management than it is about security.

The disabling of those options is handled by setting DISALLOW_FILE_MODS , but you might need to have more hardening on the server level if security is your concern.


Hey @ben

Thanks for the reply! The 12 factor app methodology sounds very interesting to read, which I will dive into.

Security is not my main concern perse, but when reading about potential risks within the WP ecosystem the brute force entrance is something that pops up often. I thought that perhaps disallowing to alter / update plugins and themes code could help reduce this risk as nothing can be installed on production environments.