Source: hide composer vendor folder that’s inside docroot
You may consider keeping vendors outside of docroot with following files structure:
c:\wamp64\www\my-site1\
c:\wamp64\www\my-site2\
c:\wamp64\www\my-site3\
c:\wamp64\www\vendors\my-site1\
c:\wamp64\www\vendors\my-site2\
c:\wamp64\www\vendors\my-site3\
Configuring vendor directory in composer.json
:
{
"config": {
"vendor-dir": "../vendors/my-site1"
}
}
And including autoloader in your index.php
:
require __DIR__ . '/../vendors/my-site1/autoload.php';
If you can’t change directory for vendors, you may use mod rewrite to disallow access to vendor
directory. Put this into your main .htaccess
file (for example to c:\wamp64\www\my-site1\.htaccess
:
RewriteEngine on
RewriteRule ^vendor/(.*)?$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]
Using .htaccess
inside of vendor
directory will also work, bu it is easy to accidentaly delete this file – usually vendor
directory is not versioned in VCS and many problems with composer are solvable by “delete vendor
directory and run composer install
again” (which will also remove your .htaccess
and make vendor
directory accessible from web).