Security of Bedrock

Is there anyone who knows whether a setup like Bedrock is more secure because it doesn’t follow the typical install directory format? Trying to figure out whether to implement Bedrock on all our sites or look at a host like WP Engine. Any feedback? Thanks.

If there is any security benefit, it’s probably security through obscurity. But it’s not too difficult to figure out where WP is installed, unless your make sure NO assets and no URLs reference the wp directory.

You do have the benefit of keeping credentials and passwords out of the public directory. However, this is also really only a benefit in the very unlikely event that somehow your HTTP server somehow starts serving up PHP files as plain text.

That being said, I feel Bedrock is great in every instance, keeping WP separate from all other code is a big benefit, and I enjoy the folder structure overall.

Telling from first-hand experience (hosting business): bedrock sites do not fall victim to (what we call) wp-scan attacks. Simply attacker checks if site looks like wordpress and can access wp-admin and/or xmlrpc.php. Since both those are instead in /wp attacker resigns after 2-3 404 responses. This is very nice benefit of security through obscurity :slight_smile:


One of the big benefits of a bedrock type setup is that your .git folder is not in the web root. definitely don’t want to be exposing your source control to whoever asks for it.

1 Like