{"id":54251,"date":"2023-10-04T10:51:22","date_gmt":"2023-10-04T10:51:22","guid":{"rendered":"https:\/\/www.bookwormhead.com\/?p=54251"},"modified":"2025-05-29T03:23:22","modified_gmt":"2025-05-29T03:23:22","slug":"bedrock-wordpress","status":"publish","type":"post","link":"https:\/\/bookwormhead.com\/cms\/bedrock-wordpress\/","title":{"rendered":"Bedrock WordPress Complete Tutorial 2025 &#8211; 100% Working"},"content":{"rendered":"<h2>How I Hardened My WordPress Setup Using Bedrock<\/h2>\n<p>With billions of websites getting hacked every year, I became increasingly concerned about the security of my WordPress installation. That\u2019s when I decided to upgrade the structure of my WordPress project using Bedrock \u2014 a modern WordPress boilerplate developed by the Roots team.<\/p>\n<h2>Why Not Just Use Vanilla WordPress?<\/h2>\n<p>While standard (vanilla) WordPress works fine for many, it\u2019s highly vulnerable to attacks \u2014 especially when all files, including sensitive configuration like wp-config.php, are located directly inside the public directory (public_html). This default setup exposes your site to common threats such as:<\/p>\n<ul>\n<li>Database credential leaks<\/li>\n<li>Plugin\/theme injection<\/li>\n<li>Arbitrary file inclusion exploits<\/li>\n<\/ul>\n<p>By contrast, Bedrock separates the WordPress core, configuration, and content, making your site harder to compromise.<\/p>\n<h2 data-start=\"1377\" data-end=\"1396\">Prerequisites<\/h2>\n<p data-start=\"1398\" data-end=\"1460\">Before you start, make sure the following tools are installed:<\/p>\r\n    <div class=\"bwh-in-article-ad\">\r\n      <ins class=\"adsbygoogle\"\r\n           style=\"display:block; text-align:center;\"\r\n           data-ad-client=\"ca-pub-4299086769596754\"\r\n           data-ad-slot=\"8699383760\"\r\n           data-ad-format=\"auto\"\r\n           data-full-width-responsive=\"true\"><\/ins>\r\n      <script>\r\n        (adsbygoogle = window.adsbygoogle || []).push({});\r\n      <\/script>\r\n    <\/div>\n<ul data-start=\"1462\" data-end=\"1646\">\n<li data-start=\"1462\" data-end=\"1500\">\n<p data-start=\"1464\" data-end=\"1500\"><a href=\"https:\/\/getcomposer.org\/\" target=\"_new\" rel=\"noopener\" data-start=\"1464\" data-end=\"1500\">Composer<\/a><\/p>\n<\/li>\n<li><a href=\"https:\/\/www.php.net\/\" target=\"_new\" rel=\"noopener\" data-start=\"1503\" data-end=\"1530\">PHP<\/a><\/li>\n<li><a target=\"_new\" rel=\"noopener\" data-start=\"1533\" data-end=\"1569\">Bedrock<\/a><\/li>\n<li><a href=\"https:\/\/localwp.com\/\" target=\"_new\" rel=\"noopener\" data-start=\"1572\" data-end=\"1615\">Local (by Flywheel)<\/a> or your preferred local server<\/li>\n<\/ul>\n<p>In this tutorial, I\u2019ll walk you through the process of setting up a Bedrock-based WordPress environment, improving both your development workflow and your site\u2019s security by keeping sensitive files out of the public directory and adopting modern development practices.<\/p>\n<h2>A: Replacing Standard WordPress To WP Bedrock on Local Flywheel<\/h2>\n<h3>1. Installing Composer ( Bedrock Dependent)<\/h3>\n<p>First, you need to install the dependencies to make the Bedrock work.<\/p>\n<p><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/12y5GT5YrbA?si=OYi92Y9ndIkXEPnn\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\r\n    <div class=\"bwh-in-article-ad\">\r\n      <ins class=\"adsbygoogle\"\r\n           style=\"display:block; text-align:center;\"\r\n           data-ad-client=\"ca-pub-4299086769596754\"\r\n           data-ad-slot=\"8699383760\"\r\n           data-ad-format=\"auto\"\r\n           data-full-width-responsive=\"true\"><\/ins>\r\n      <script>\r\n        (adsbygoogle = window.adsbygoogle || []).push({});\r\n      <\/script>\r\n    <\/div>\n<h3>2. Install A Flywheel Local For WordPress<\/h3>\n<p>Go to <a href=\"https:\/\/localwp.com\/\">flywheel local<\/a> to download the application. Run a regular WordPress website.<\/p>\n<p><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/Fi28DMNIU2M?si=Azt_RP7zfbhOl2Cm\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<h3>3. Run The Bedrock Project<\/h3>\n<p>Note: If you cannot see wp folder in your bedrock which usually happen if you install the old version, just run the<\/p>\n<p>[code_block]<br \/>\ncomposer create-project roots\/bedrock<br \/>\n[\/code_block]<\/p>\n<p>\u26a0\ufe0f If you\u2019re using an older version of Bedrock, the wp folder (which holds WordPress core files) might be missing. If that happens, just run composer install again inside the bedrock folder.<\/p>\n<h3>3A. Configuring the .env File<\/h3>\n<p data-start=\"2028\" data-end=\"2104\">Bedrock uses a .env file to manage environment-specific settings, such as:<\/p>\n<ul data-start=\"2106\" data-end=\"2209\">\n<li data-start=\"2106\" data-end=\"2157\">\n<p data-start=\"2108\" data-end=\"2157\">Database credentials (DB_NAME, DB_USER, etc.)<\/p>\n<\/li>\n<li data-start=\"2158\" data-end=\"2186\">\n<p data-start=\"2160\" data-end=\"2186\">Table prefix (DB_PREFIX)<\/p>\n<\/li>\n<li data-start=\"2187\" data-end=\"2209\">\n<p data-start=\"2189\" data-end=\"2209\">Authentication salts<\/p>\n<\/li>\n<\/ul>\n<p>Make sure your .env variables are set correctly. You can generate unique WordPress salts using <a target=\"_new\" rel=\"noopener\" data-start=\"2308\" data-end=\"2349\">roots.io\/salts<\/a>.<\/p>\n<p>[code_block]<br \/>\nDB_NAME=&#8217;local&#8217;<br \/>\nDB_USER=&#8217;root&#8217;<br \/>\nDB_PASSWORD=&#8217;root&#8217;<br \/>\nDB_HOST=&#8217;localhost&#8217;<\/p>\n<p>WP_CORE_DIR=&#8217;web\/wp&#8217;<br \/>\nWP_ENV=&#8217;production&#8217;<br \/>\nWP_SITEURL=&#8221;https:\/\/testing2.local\/wp\/&#8221;<br \/>\nWP_HOME=&#8217;https:\/\/testing2.local&#8217;<\/p>\n<p>Generate the auth to https:\/\/roots.io\/salts.html<br \/>\n[\/code_block]<\/p>\n<h3 data-start=\"2357\" data-end=\"2396\">3B: application.php and .env Priority<\/h3>\n<p data-start=\"2398\" data-end=\"2583\">While the config\/application.php file controls how your app boots, the .env file should be treated as your environment-specific config \u2014 think of it as your new wp-config.php. To keep things dynamic, ensure application.php reads from .env. This allows for flexible deployments across development, staging, and production environments.<\/p>\n<h3>4. Adjusting site.config.hbs (for Local by Flywheel users)<\/h3>\n<p>By default, site.config.hbs may point to the root directory. Since Bedrock modifies the public web root to \/web or a custom folder like \/public_html\/wp, you&#8217;ll need to:<\/p>\n<ul>\n<li data-start=\"2995\" data-end=\"3074\">\n<p data-start=\"2998\" data-end=\"3074\">Set an absolute path to the correct document root in your local environment. Find your absolute url e.g root &#8216;C:\/Users\/Windows 10\/Local Sites\/testing2\/app\/bedrock\/web&#8217;;<\/p>\n<\/li>\n<li data-start=\"3075\" data-end=\"3156\">\n<p data-start=\"3078\" data-end=\"3156\">Update this path again during deployment to your staging or production server.<\/p>\n<\/li>\n<\/ul>\n<h2>B: Migrating Bedrock WP To Share Hosting<\/h2>\n<p>Let&#8217;s Migrate Your Bedrock To Shared Hosting!<\/p>\n<p><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/jkTlPpH5CXM?si=dek8C5O516ZoMmoy\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<h3>\u26a0\ufe0f Situational: WordPress Database Error After Moving to Shared Hosting<\/h3>\n<p>In new version of WordPress bedrock, you might experience unstable database error due to how ABSPATH declared in the application.php<\/p>\n<p>In older Bedrock versions (pre-2024), the loading order looked like this:<br \/>\n[code_block]<br \/>\ndefine(&#8216;ABSPATH&#8217;, &#8230;);<br \/>\nConfig::apply(); \/\/ \u2705 Safe, because ABSPATH is needed early<br \/>\n[\/code_block]<\/p>\n<p>In newer Bedrock boilerplates, they changed it to:<br \/>\n[code_block]<br \/>\nConfig::apply(); \/\/ \ud83d\udea8 Now comes before ABSPATH<br \/>\ndefine(&#8216;ABSPATH&#8217;, &#8230;);<br \/>\n[\/code_block]<\/p>\n<p>Make sure you follow the old version (pre-2024) especially if you&#8217;re deploying in Shared Hosting.<\/p>\n<h3>Why It Breaks in Real Deployments<\/h3>\n<ul>\n<li>In practice, many plugins and even parts of WordPress:<\/li>\n<li>Still expect ABSPATH to be defined early<\/li>\n<li>Use it during AJAX calls or redirects<\/li>\n<li>Write files or load includes using ABSPATH<\/li>\n<\/ul>\n<p>In hosting like Siteground or theme like Divi, usually a core hook runs during\u00a0Config::apply() so usually it is expected to declare after the ABSPATH is declared so it won&#8217;t fails silently, or causes downstream issues like:<\/p>\n<ul>\n<li>database error on save<\/li>\n<li>exit builder crashing<\/li>\n<li>500 on post.php redirects<\/li>\n<\/ul>\n<p>To learn more about how you can manipulate your WordPress plugins, themes and core files using <span style=\"text-decoration: underline; color: #ff0000;\">ABSPATH approach, check my YouTube video here<\/span><\/p>\n<h2>C. How To Create A Staging Bedrock In Shared Host Like Hostinger And Siteground<\/h2>\n<p>Coming soon..<\/p>","protected":false},"excerpt":{"rendered":"<p>How I Hardened My WordPress Setup Using Bedrock With billions of websites getting hacked every year, I became increasingly concerned about the security of my WordPress installation. That\u2019s when I decided to upgrade the structure of my WordPress project using Bedrock \u2014 a modern WordPress boilerplate developed by the Roots team. Why Not Just Use [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[169,5],"tags":[74],"class_list":["post-54251","post","type-post","status-publish","format-standard","hentry","category-blog","category-cms","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/posts\/54251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/comments?post=54251"}],"version-history":[{"count":21,"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/posts\/54251\/revisions"}],"predecessor-version":[{"id":54440,"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/posts\/54251\/revisions\/54440"}],"wp:attachment":[{"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/media?parent=54251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/categories?post=54251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bookwormhead.com\/cms\/wp-json\/wp\/v2\/tags?post=54251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}