WordPress & Frontity in the same repository

👨‍💻 Framework Development » Framework Design
1

I’d like to start discussing our recommendation to combine Frontity and WordPress in the same repo.

Of course, people can do what they please, but I think having an “official recommendation” would be great to standardize it a bit.

My first idea was to recommend keeping Frontity in the /wp-content/frontity folder, like this:

/wp-content
  /plugins
  /themes
  /frontity
    package.json
    frontity.settings.js
    packages/...

But I don’t think that’s the best idea anymore, because it could compromise security. If people do the build in the same server, the server bundle will be exposed in the /wp-content/frontity/build/server.js file, accessible from the Internet, and could leak a secret if people don’t use env variables.

The other idea is to add Frontity at the root:

/wp-content
  /plugins
  /themes
  ...
/frontity
    package.json
    frontity.settings.js
    packages/...

But my afraid is that having Frontity in the root may lead to permission problems in some hostings, but I’m not sure about it.

Is there a place where the write permissions are granted but it’s not exposed?

1 Like
3

@luisherranz great idea!

/wp-content
  /plugins
  /themes
  /frontity
    package.json
    frontity.settings.js
    packages/...

How about going for your first idea and updating the docs, and letting users know, that they should use env variables? :slight_smile:

4

Well, if there’s no other way… but I would prefer to find a way to forbid access to the plain JavaScript files from Frontity, just in case.

By the way, forget about this, files at the root are also accessible of course :sweat:

Maybe we could add an .htaccess file to the /wp-content/frontity folder that forbids access:

# /wp-content/frontity/.htaccess
Order deny,allow
Deny from all

And then another .htaccess file to the /wp-content/frontity/build/static folder tha enables access:

# /wp-content/frontity/build/static/.htaccess
Order allow,deny
Allow from all

And suggest this change for Nginx users:

location ~ /wp-content/frontity(?!/build/static/) {
  deny all;
  return 403;
}

I’ve just done a quick test and both seem to work fine.

1 Like
5

Why not run Frontity in the root and WordPress in a subdirectory? Both are able to handle that perfectly fine without any (technical) problems.

/frontity.config.js
/package.json
/wp/
/wp/wp-content/

It would even be possible to install WP (and plugins/themes) with NPM (or actually Composer, but can be linked), which in some situations is a security requirement as well (manually settings updates).

I can’t think of any reason why Frontity in the root would cause permission problems, just as much as WordPress in the root would.

However a proper setup where both are separated completely, with their own apache/nginx paths, would be the most preferred method. Although running WP in a subdirectory can offer a decent amount of security when done right.

1 Like