Source: hide composer vendor folder that’s inside docroot
You may consider keeping vendors outside of docroot with following files structure:
c:\wamp64\www\my-site1\
c:\wamp64\www\my-site2\
c:\wamp64\www\my-site3\
c:\wamp64\www\vendors\my-site1\
c:\wamp64\www\vendors\my-site2\
c:\wamp64\www\vendors\my-site3\
Configuring vendor directory in composer.json:
{
"config": {
"vendor-dir": "../vendors/my-site1"
}
}And including autoloader in your index.php:
require __DIR__ . '/../vendors/my-site1/autoload.php';
If you can’t change directory for vendors, you may use mod rewrite to disallow access to vendor directory. Put this into your main .htaccess file (for example to c:\wamp64\www\my-site1\.htaccess:
RewriteEngine on
RewriteRule ^vendor/(.*)?$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]
Using .htaccess inside of vendor directory will also work, bu it is easy to accidentaly delete this file – usually vendor directory is not versioned in VCS and many problems with composer are solvable by “delete vendor directory and run composer install again” (which will also remove your .htaccess and make vendor directory accessible from web).