File Access Protection
Wage child themes contain files that should never be publicly accessible via the web — documentation, design briefs, inspiration images, and data files. These are protected using .htaccess rules.
What’s protected
Section titled “What’s protected”| Path | Purpose | Rule |
|---|---|---|
*.md, *.txt in theme root | CLAUDE.md, design.md, SETUP.md | Blocked by FilesMatch |
assets/inspiration/ | Screenshots, mood boards, references | Blocked by directory deny |
data/ | Protected JSON file storage | Blocked by directory deny |
How it works
Section titled “How it works”Three .htaccess files are created during project scaffolding (Step 1 in SETUP.md):
1. Theme root .htaccess
Section titled “1. Theme root .htaccess”Blocks all .md and .txt files from being served. This protects CLAUDE.md, design.md, and any other documentation.
<FilesMatch "\.(md|txt)$"> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule></FilesMatch>2. assets/inspiration/.htaccess
Section titled “2. assets/inspiration/.htaccess”Denies all access to the inspiration directory. This prevents anyone from browsing or downloading reference screenshots and mood boards.
<IfModule mod_authz_core.c> Require all denied</IfModule><IfModule !mod_authz_core.c> Order deny,allow Deny from all</IfModule>3. data/.htaccess
Section titled “3. data/.htaccess”Same rule as above. Protects the JSON file storage used by wage_data_read() and wage_data_write().
Important notes
Section titled “Important notes”- Requires Apache. These rules use
.htaccesswhich is Apache-only. If your server runs Nginx, you’ll need equivalentlocationblocks in your Nginx config. - The parent theme has its own
.htaccesswith the sameFilesMatchrule, protectingCLAUDE.mdandSETUP.mdin the framework itself. - CSS, JS, images, and fonts are unaffected. The rules specifically target documentation files and protected directories — all theme assets load normally.
Verifying protection
Section titled “Verifying protection”After deploying, test that protected files return a 403 Forbidden:
curl -s -o /dev/null -w "%{http_code}" "https://example.com/wp-content/themes/wage-client/CLAUDE.md"# Should return: 403
curl -s -o /dev/null -w "%{http_code}" "https://example.com/wp-content/themes/wage-client/design.md"# Should return: 403
curl -s -o /dev/null -w "%{http_code}" "https://example.com/wp-content/themes/wage-client/assets/css/site.css"# Should return: 200Nginx equivalent
Section titled “Nginx equivalent”If you need to run on Nginx, add these rules to your server block:
# Block .md and .txt files in theme directorieslocation ~* /wp-content/themes/.*\.(md|txt)$ { deny all; return 403;}
# Block inspiration and data directorieslocation ~* /wp-content/themes/.*/assets/inspiration/ { deny all; return 403;}location ~* /wp-content/themes/.*/data/ { deny all; return 403;}