.htaccess and virtual host configuration for WordPress in its own directory

Question

I've been taking a look at the modern WP development approaches using Composer and so on, for example Bedrock or WordPress-Skeleton.

I'm trying to adapt these approaches ad create my own WP boilerplate, so I ended up with a project structure like this:

my_project
 |
 \--app  <-- custom wp-content folder
 |   |  
 |   \--mu-plugins
 |   \--plugins
 |   \--themes
 |
 \--vendor  <-- folder for composer packages
 |   |
 |   \...
 |
 \--wp  <-- WordPress core folder
 |   |
 |   \...
 |
 |--composer.json
 |--composer.lock
 |--index.php
 |--wp-config-local.php
 |--wp-config.php

Everything works fine so far, but the problem is that I have to set my_project as the web root folder, so that an user can go to http:/my-project/vendor, for example, and see all my vendor packages, which I think it's not good...

So, is there any way to set some .htaccess file or configure the virtual host in such a way that I can use that folder structure but do not allow anybody to access all those files and folders that are not absolutely necessary?

Answer 1

I'm not sure exactly what you mean by

so that an user can go to http:/my-project/vendor, for example, and see all my vendor packages

so I'll give you a few options.

If the vendor packages are supposed to be completely private you can make it forbidden:

RewriteRule ^/vendor - [F]

If you want to whitelist an IP you might be using:

<Directory /vendor>
  Order deny,allow
  Allow from 1.2.3.4
</Directory>

If you just want to prevent a listing of the files in /vendor

<Directory /vendor>
  Options -Indexes
</Directory>

Answer 2

Late on this but Bedrock recently took the better approach of separating out only what's needing into a web/ directory. See here: https://github.com/roots/bedrock/pull/32

That way you can set your virtual host document root to /path/to/site/web/ and not have to worry about manually blocking access to various folders/configs.