WordPress & Frontity in the same repository

I’d like to start discussing our recommendation to combine Frontity and WordPress in the same repo.

Of course, people can do what they please, but I think having an “official recommendation” would be great to standardize it a bit.

My first idea was to recommend keeping Frontity in the /wp-content/frontity folder, like this:

/wp-content
  /plugins
  /themes
  /frontity
    package.json
    frontity.settings.js
    packages/...

But I don’t think that’s the best idea anymore, because it could compromise security. If people do the build in the same server, the server bundle will be exposed in the /wp-content/frontity/build/server.js file, accessible from the Internet, and could leak a secret if people don’t use env variables.

The other idea is to add Frontity at the root:

/wp-content
  /plugins
  /themes
  ...
/frontity
    package.json
    frontity.settings.js
    packages/...

But my afraid is that having Frontity in the root may lead to permission problems in some hostings, but I’m not sure about it.

Is there a place where the write permissions are granted but it’s not exposed?

1 Like

@luisherranz great idea!

/wp-content
  /plugins
  /themes
  /frontity
    package.json
    frontity.settings.js
    packages/...

How about going for your first idea and updating the docs, and letting users know, that they should use env variables? :slight_smile:

Well, if there’s no other way… but I would prefer to find a way to forbid access to the plain JavaScript files from Frontity, just in case.

By the way, forget about this, files at the root are also accessible :sweat:


Maybe we could add an .htaccess file to the /wp-content/frontity folder that forbids access:

# /wp-content/frontity/.htaccess
Order deny,allow
Deny from all

And then another .htaccess file to the /wp-content/frontity/build/static folder tha enables access:

# /wp-content/frontity/build/static/.htaccess
Order allow,deny
Allow from all

And suggest this change for Nginx users:

location ~ /wp-content/frontity(?!/build/static/) {
  deny all;
  return 403;
}

I’ve just done a quick test and both seem to work fine.

1 Like