WordPress.org

Ready to get started?Download WordPress

Forums

Change wp-content (29 posts)

  1. Razva
    Member
    Posted 3 years ago #

    Hi folks,

    I'm looking forward to change wp-content.

    In wp-settings.php I'm looking at wp_initial_constants. Setting 'WP_CONTENT_DIR','/home/user/some-dire' didn't worked out...

    Can you please give me a hand here?

    Thanks!

  2. James
    Happiness Engineer
    Posted 3 years ago #

  3. Razva
    Member
    Posted 3 years ago #

    Well I've read that, but I can't understand if the define should go INSIDE the wp_initial_constants or not.

    I've added the defines at the end of the wp-settings.php and it really didn't worked...

  4. James
    Happiness Engineer
    Posted 3 years ago #

    All you have to do is edit just the wp-config.php file.

  5. Razva
    Member
    Posted 3 years ago #

    Oh, so the defines should be done in wp-config, not in wp-settings?

  6. James
    Happiness Engineer
    Posted 3 years ago #

    Correct.

  7. Razva
    Member
    Posted 3 years ago #

    Ok, thanks a lot!

    I'll get back if something goes wrong.

  8. James
    Happiness Engineer
    Posted 3 years ago #

    You're welcome!

  9. Razva
    Member
    Posted 3 years ago #

    Bummer!

    Warning: array_keys() [function.array-keys]: The first argument should be an array in /home/remedia/public_html/wp-includes/theme.php on line 513

    In the wp-config.php I've added, just before the ?>, the following lines:

    define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/public_html/files' );
    define( 'WP_CONTENT_URL', 'http://www.re-media.ro/files');
    define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/public_html/files/plugins' );
    define( 'WP_PLUGIN_URL', 'http://www.re-media.ro/files/plugins');
    define( 'PLUGINDIR', $_SERVER['DOCUMENT_ROOT'] . '/public_html/files/plugins' );

    I've tried:
    /home/user/public_html/files
    and
    /public_html/files

    Both settings generate the above error.

  10. James
    Happiness Engineer
    Posted 3 years ago #

    Unfortunately, though you can move the /wp-content/ directory, you can't change its name.

  11. Razva
    Member
    Posted 3 years ago #

    Oh, so the single thing I can do is move wp-content to files/wp-content? The idea was to move the entire wp-content to files in order to secure the site...

    If I can move wp-content, but I can't change its name, than it's the same thing as leaving it where it is, as a hacker can take a fast look at the source code and see if he can find wp-content. He doesn't cares if wp-content is in /files or in the rootir...

    So, as a final "product", I'm looking for a way to rename wp-content and "hide" the fact that the website is using WP, for security reasons.

  12. James
    Happiness Engineer
    Posted 3 years ago #

    That's correct. It's really more of a convenience thing (having the directory where you want it) than a security thing.

    Unfortunately, too many plugins and themes rely on the directory being named /wp-content/.

  13. postrophe
    Member
    Posted 3 years ago #

    Hi,

    How about making a copy of your invisible ( .htaccess ) file, and moving it to the root of your site. ( /public_html/your site name )

    Pierre

  14. Razva
    Member
    Posted 3 years ago #

    @postrophe can you please be more explicit?

    I was thinking at a symlink, but that will not fix the fact that WP will still post /wp-content/ in its source link...

  15. postrophe
    Member
    Posted 3 years ago #

    Hi,

    My test site. Try to add ( wp-content/) in the address bar !

    You find a blank page.

    Pierre

  16. Razva
    Member
    Posted 3 years ago #

    Yeah, but if you look at the source, you can still find /wp-content/ there...

    The idea here is to hide any "wp-trace" from the source. If an attacker knows what CMS are you using...you are extremely vulnerable.

    So the story here is to completely hide "wp-content" from the source, not just move or restrict paths.

  17. ClaytonJames
    Member
    Posted 3 years ago #

    @postrophe

    That just proves that there is a blank index.php file present in your wp-content directory. As there is with all default installations of WP 3.0

    Everything else located in your themes, plugins, and uploads folders are as plain as day in your source code. They are web accessible directories that display your theme and uploaded content.

  18. Razva
    Member
    Posted 3 years ago #

    @ClaytonJames yup, that's my point...

    So, as far as I can understand, there's no way to hide the wp-content from the source? Wooow...than at this chapter is "1-0" for Joomla...which I really don't need for this project...

  19. postrophe
    Member
    Posted 3 years ago #

    Hi,

    Sorry I missed that " source code ".

    I'v seen some tread on the net about that. Can not remember where.

    Good luck.

    Pierre

  20. postrophe
    Member
    Posted 3 years ago #

    @ClaytonJames

    Everything else located in your themes, plugins, and uploads folders are as plain as day in your source code.

    Yes

    They are web accessible directories that display your theme and uploaded content.

    No

    ( well, I'v left one directory of PDF's to be accessible )

    Pierre

  21. ClaytonJames
    Member
    Posted 3 years ago #

    The idea here is to hide any "wp-trace" from the source. If an attacker knows what CMS are you using...you are extremely vulnerable.

    I can't really think of any reason to go out of ones way to hide them if file and directory ownership and permissions are correct.

    "Hacking" by script seems to make that an weak solution. If you're using wordpress (or any other known platform ) the core file and directory structures are also known to anyone who fabricates a tool to search for un-patched versions of vulnerable files. And yes, those could include searches for vulnerable plugins as well, but I think any real threat is more likely to come from weaknesses in plugings or themes from un-trusted sources - which have to be installed by the user. Or from errors and exploits in your ftp account, or server administration, than it is from the web. - Just my opinion, mind you.

  22. ClaytonJames
    Member
    Posted 3 years ago #

    They are web accessible directories that display your theme and uploaded content.

    No

    Yes, they are. The content (files) located in the "Themes", "Uploads", and "Plugins" directories are all accessible with any web browser. The directories may not be "browse-able" due to the presence of blank index files or "Options -Indexes" in an .htaccess file, but the files in them are viewable.

    Here's an image from your uploads folder.

    http://pierrecote.fondationcem.org/wp-content/uploads/2009/12/Old-Raman-road1.png

  23. Razva
    Member
    Posted 3 years ago #

    @ClaytonJames totally agree, if you think at "experienced attackers", not script kiddiez that just found a fresh exploit...

    Like...a guy comes on the site and sais "hey, what CMS are they using". They take a quick look at the source, and in 5 seconds voila...they know that you are using WP.

    If such a person will not see any trace of wp-content than it will - at least - think that the website is using a custom platform and let it go.

    Agreed, for persuasive hackers, this thing is not a problem, as they can try to access a system-wide directory, like /wp-admin/ (that you can't rename), and see that you'r using WP.

    So the basic idea is to make at least a "first impression" of security, for those who are more curious than they should.

  24. Samuel B
    moderator
    Posted 3 years ago #

    Sillybean
    WordPress Hidden Gems: Hiding wp-config.php

    Your configuration file contains your database username and password, so it’s important to keep this file secure. If you are installing WordPress in your web root directory (such as public_html), you can move your wp-config.php file to the parent directory — one that isn’t readable from a browser — without changing any settings. WordPress will automatically recognize the file’s new location.

    to me this is way better than trying to move/hide folders

  25. Razva
    Member
    Posted 3 years ago #

    @Samuel B - as replied to ClaytonJames, yes, also this is a very good way to secure a WP site.

    Still, the idea in this thread is to hide /wp-content/ from the source...and as far as I understood until now there's no way to do that.

  26. postrophe
    Member
    Posted 3 years ago #

    @ClaytonJames

    You got me there. I didn't digg enough.

    Hummm... I guess its a "first impression" of security, then.

    Thanks, I'm waking up, now.

    Pierre

  27. ClaytonJames
    Member
    Posted 3 years ago #

    if you think at "experienced attackers", not script kiddiez that just found a fresh exploit...

    I don't think that at all. Anyone with ten minutes and ill intent can download a script and try to hack their way into any platform. It doesn't matter who they are. That sort of info flows like wine if you have a mind to look for it.

    If such a person will not see any trace of wp-content than it will - at least - think that the website is using a custom platform and let it go.

    It's not usually "someone" as much as automated scripting, that looks for entry points. No, not to make a first impression for anyone, but to learn how to properly secure what you have. An easy - if not exaggerated - example...

    type your domain name into the address bar and add readme.html to it. Like this: //pierrecote.fondationcem.org/readme.html

    Now there's something you can remove if you hadn't already thought of it. There's plenty you can do. Here is some basic info to get you started with things that you can control.

    Hardening WordPress

    And again, this is all just my opinion. The more you can do to protect yourself, the better off you are. Don't allow my thoughts to keep you from searching for a solution that achieves what you want. I would be interested to know what you might find.

    Good luck to you!

  28. Razva
    Member
    Posted 3 years ago #

    @ClaytonJames - thanks for your tips! I've already removed readme.html hehehe, that's a nice thing to begin with :P

    I'll keep searching for a way to achieve the "no /wp-content/ in source" goal and...who knows...maybe I'll find a way.

    So, anybody...any ideas? :)

  29. Manuel Schmalstieg
    Member
    Posted 3 years ago #

    and what about the method explained here: http://www.nexwp.com/stories/how-to-protect-the-wp-content-folder-of-wordpress ??
    it seems to work quite nicely.

Topic Closed

This topic has been closed to new replies.

About this Topic