WordPress has become the best blogging platform and mostly used by people. Did you ever know that a lots of hacker are always trying to get into your WordPress system? They, generally do this by using some SQL query (SQL injection) to the admin templates of WordPress. As the new blogger install WordPress in the root directory and keep the whole things as it was at the time of installation, things are become quite easier for the hackers because they can easily target location of your website core files.
Moving your WordPress installation files from the default location can be a good choice so that, any body can’t know about the location of your website’s core files. As a result, hackers will remain failure to perform any type of evil action with your blog.
First of all, take a full backup of your WordPress blog to ensure that you can restore the stable state of your blog if any thing goes wrong with your site configuration.
How to Move the WordPress Core files
1. Log-in to your FTP and create a directory at as deep as you like. For instance the location may be
public_html > example > data > some_directory > core2. Download the followings from your current installation directory (generally public_html)
- wp-admin directory
- wp-includes directory
- wp-content directory
and all php files in the same folder like index.php, wp-config.php, wp-activate.php, wp-blog-header.php, wp-atom.php, wp-comments.php and so on. Also download the .HTACCESS file.
3. Upload all the files and directory that you’ve downloaded in the step 2 at your desired location (public_html > example > data > some_directory > core). Wait for a while until the uploading process completes.
4. Don’t delete the existing directories, currently on your server. You can do it later.
Make a small change in your WordPress settings
Log-in to your WP admin area and go to Settings > General. Now at “WordPress address url” field write down the complete url of the directory where you’ve uploaded the files in step 3. In this example the path should be ‘https://www.techtipsapp.com > example > data > some_directory > core'.
5. Save the changes by clicking on the “Save changes” button.
6. Immediately after this, your blog home can be messed up and you will get some error massage. Don’t worry! Things are yet to complete.
7. Download the ‘index.php’ file from your root directory and open it with Notepad. Search for the line
require(‘./wp-blog-header.php’);
8. Change the above code to require(‘./your_directory_path/wp-blog-header.php’);.
As for this example the code should be require(‘./example/data/some_directory/core/wp-blog-header.php’);
9. Upload the edited version of ‘index.php’ in the root drive over writing the existing one.
That’s all. You have successfully moved your WordPress core files in a custom location.
What will be my WordPress login link?
The old login link will not further work. Your new login link would be http://yourdomain/new_directory/wp-login.php. For instance the new login url is ‘https://www.techtipsapp.com > example > data > some_directory > core > wp-login.php'.
Should I delete My old files from the root directory?
Well! Once you’ve successfully moved the WordPress core files and your site is running properly, you can delete all the WordPress files from the root directory except the wp-content directory, ‘index.php’ and .HTACCESS file.
You should concentrate here:
1. Do not delete the wp-content folder from its old location as it contains the folder “Upload” where the post images of your blog resides. Deleting that folder will make lost your post from their images. But if you want not to keep the wp-content folder in two locations as there exists another in the new location then you can host post images in a subdomain or update the previous post with the new image path. Both the method has been described in the article Host Images of WordPress Blog in a Subdomain for Better Speed.
2. Don’t publish the login link in your website so that any body can find again your WP core file location. Otherwise, all your hard work will become meaningless.
Does your WordPress still reside at the root directory or in a different custom location?
nice trick
i am sure after making this changes my site will become much safer from hackers ……..
@TechGopal: Definitely. The hackers need at least the source to hack you and you are hiding the source from them. Anyway thanks for commenting here.
Very useful. Thanks for the clear explanations! I have a static website in my root, but have my WordPress in a subdirectory called “blog”. I’d like to get rid of the static website and keep the WP in “blog” but have anyone landing in the root automatically go the WP portion. Is that fairly easy?
@Mrchuckles: Yes you can do that by the .htaccess file in your root drive. If there exits no such file then create it by simple Notepad text and name it as .htaccess. In .htaccess file add the following code at the very first line:
Options +FollowSymlinksrewritecond %{http_host} ^yourdomain.com [nc]
rewriterule ^(.*)$ http://www.1and1.com/ [L,r=301,nc]
Change “yourdomain” with your domain name.Let me know if this solves your problem.
Thank you for commenting here.
Thanks for the suggestion. I tried it but didn’t have any luck. When I typed in http://www.mydomain.com it did not redirect to WordPress but rather landed my on my host’s splash page based on their default.html. It appears I need to create an index that points to my blog. When I typed http://www.mydomain.com/blog it gave me an internal server error.
I appreciate your help but if you don’t want to mess with it I’ll figure it out eventually. I feel bad taking your time. Thanks though.
Um… you realise all of your posts like directly to your files and any hacker with 1% of a brain knows how to view the source of a website right?
i did that with my blog, but i my footer didn’t appear :s
i have just copied the index.php + .htaccess, then i have edited my index.php to the directory of the core files and changed index location from WordPress settings
this is .htaccess contain:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Thanks
Sorry, but there is ZERO protection by doing this. It’s just a waste of time. A few spams may miss your blog, but that’s only the really bad ones that akesmit would block anyway.
99% are going after your theme files anyway, and looking for vulnerable timThumb scripts. This isn’t even secret, even after you move them, going to /wp-admin would just redirect you there anyway!
Thanks a lot for the file. Now using this file my site will became more safer from the spammer. So can you please tell me that now I am doing the WordPress Blog Customization, so for the blog is there any file available for preventing the spam. If yes than let me know about it.
Thank you for the tip. Just after setting up my first wordpress in my site, I realized that by default all my files would be in a known location and knew that I should change the location of them. So I googled and found this page.
Of course, it must not be forgotten to exclude “login” feature from the site as you mentioned. 🙂
Does this really protect wordpress files from malicious visitors, or is there still a way for them to find the location of the files?
Oh no! I just found out that when source is seen from internet explorer menu, in it says all about the location of the files. 🙁 Is there a way to hide this, also???
On the web it is said that it is impossible to hide source code. Even if javascript is used to encrypt the source, you will lose visitors with javascript enabled including search engines. 🙁 Therefore, I think at the end the result is that it is impossible to hide wordpress files location, as it can be seen inside the source code. 🙁
Hi,
I have done this a while ago. I have also moved the uploads folder and after updating the database entries the site was working again with all the images. However, when you right click on any image and display the image properties you can see the path of the upload folder, which is at the new location of the wordpress core files.
e.g. I changed the core folder from root to “root/newsecretfolder” and the uplod folder is now in “root/newsecretfolder/wp-content/uploads”. The image path will now show this path and reveal the secret folder.
I now tried to move the uploads folder outside the wordpress core folder (“root/uploads”), but I don’t succeed. I can only get it to work at location “root/newsecretfolder/uploads”.
Any suggestion on how to achieve this? I’ve been googling for 2 hours now.
Michael
You can try this article:
https://www.techtipsapp.com/host-images-wordpress-blog-subdomain-better-speed/. Just treat your path as the subdomain.