Cool product - excited to give Bedrock and Sage a try.
One concern I have is, in following the getting started guide, my theme has the structure indicated here:
As you can see, quite a few files there could be considered dangerous in the web root. Do we have options in putting application-related code outside the document root? Things like:
app/*
/package.json
Cache files
Etc
Iβve poured over the docs but wasnβt able to find anything. The most concerning to me is the app/ folder. Thanks in advance!
But WordPress plugins and themes also usually hold extra files in their own plugin directories and in the uploads directory. It then has to be ensured that nobody can access the files from the outside and that calling individual PHP scripts doesnβt allow access or unintended execution.
Anything that can be served publicly should be assumed will be served publicly given the right circumstances. Thatβs why Laravel has made the architecture decision of not putting anything in the public folder that could be a security concern (even going as far as serving storage assets as a symlink)
I donβt want to befuddle the conversation with examples of how things could go wrong, but I could easily think of a handful Iβve seen in the past, ranging from PHP failing to load as a module (rendering the PHP publicly in plain text) or generated cache files giving out critical information about the running app (which Iβve seen Sage do by default).
What are your thoughts on following a Laravel way of doing things for some future major release? Itβd make me feel better. I realize the rest of the WP frameworks donβt do this either, but setting the bar higher would really set Bedrock/Sage apart.
I think your critique is more for WordPress than Bedrock/Sage. Serving βApp filesβ in the web root is the reality you have to live with when using WordPress β and thatβs probably why many people steer clear of WordPress in the first place. The security advantage that Bedrock provides is that your environment variables & secrets are outside of the web root.
Hypothetically, if we were to follow a more βLaravel Way of doing things,β weβd need to chuck out the entire WordPress admin dashboard since it needs to be in the web root, which would break compatibility with almost the entire WordPress ecosystem. IMO it wouldnβt be worth it, instead, it would be a much better endeavour to build a Laravel-based CMS.
Bedrock improves upon this, in the sense that it treats WordPress as a dependency, but since wp-admin must still be accessible, it still needs to site in the web root.
