Folders and paths on the frontend (Security)

  • shan20

    (@shan20)


    1 month, 3 weeks ago

    Hello WP community. 

    Due to the lack of the solution I need, I started to write my own plugin. 

    I am a newbie in this business and I have some questions. Answers to which I could not find on the Internet. The question is about security. 

    My plugin has additional js and CSS files, some for the plugin settings admin panel page and some for the open frontend. Scripts and styles are loaded into the frontend only if there is a shortcode on the site page. And only those that are necessary for the frontend. In the admin panel as well, only the ones that are needed to interact with the admin panel settings. 

    Thus the question arises. 

    1. How secure is it to show the path to my script and other files

    <script src = "https://<page>/wordpress/wp-content/plugins/<plugin name>/js/<script for fe>.js?ver=1.0.3"...

    on the open front? Should I find some better place for them?

    The script doesn’t contain any confidential information, only functions to handle user input and interaction. 

    2. If this is not secure, what are some solutions or good practices for this task?

    Thanks for your help.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    1 month, 3 weeks ago

    JavaScript runs client side, so no matter what you do, there’s no way to securely protect script source code from examination. You can obfuscate it with a minimizer so it’s difficult to comprehend, but it can still be reverse engineered if one is so inclined. Thus there’s no point in attempting to secure JavaScript if you want it to run.

    Thread Starter shan20

    (@shan20)

    1 month, 2 weeks ago

    Hi @bcworkz , thanks for the reply. I understood about JS, the question was more about the place for this file and some other files in WP system. Is it okay to store the files for Frontend in the plugins folder as part of the plugin, or is it better to store them elsewhere?

    Moderator bcworkz

    (@bcworkz)

    1 month, 2 weeks ago

    Realistically, nearly anywhere that’s publicly accessible would be OK. However, never put custom code in /wp-includes/ or /wp-admin/. Code placed there is likely to get deleted during updates. If you’ve created a plugin, then supporting files logically would reside with the plugin. Similar for custom themes, keep supporting files with the theme. You can even keep files in /wp-content/, but for organizational reasons you should create your own directory under /wp-content/. That said, there’s little reason to keep files anywhere besides the related theme or plugin folders.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.