I’m somewhat new to the Bedrock setup and I was reading the following on Bedrock’s homepage:
“By default, Bedrock disables the ability for plugins and themes to be added, removed, or modified on non-development environments.”
Does this measure exist mainly to prevent that environments installed plugins and themes get out of sync, or is it also a security measure as there is simply no way to install a plugin? I was wondering for instance if this also prevents any installation of files if a website would be entered by brute force.
Howdy! Bedrock is inspired by 12 factor app methodology, and this specifically is more about the dev/prod parity and dependency management than it is about security.
The disabling of those options is handled by setting DISALLOW_FILE_MODS , but you might need to have more hardening on the server level if security is your concern.
Thanks for the reply! The 12 factor app methodology sounds very interesting to read, which I will dive into.
Security is not my main concern perse, but when reading about potential risks within the WP ecosystem the brute force entrance is something that pops up often. I thought that perhaps disallowing to alter / update plugins and themes code could help reduce this risk as nothing can be installed on production environments.