Only '/public' should be accessible

[saulens22]

Usually, all of Wordpress theme PHP files check if ABSPATH exists. This theme template doesn't have such functionality. Moreover, I can access '/config' , '/resources', '/vendor' and so on. It might pose a security risk in the long run (just my opinion).

I believe only '/public' folder should be accessible by web server. In my case, I created '.htaccess' file in theme root that denies all access and created another '.htaccess' file in '/resources' that WebPack copies into '/public' folder with complete access. I think it's worth discussing implementing this in theme.

[multiplehats]

+1

[niklasp]

maybe this can be added via a pull request @saulens22