WordPress › Support » Change wp-content

Razva
Member
Posted 1 year ago #

Hi folks,

I'm looking forward to change wp-content.

In wp-settings.php I'm looking at wp_initial_constants. Setting 'WP_CONTENT_DIR','/home/user/some-dire' didn't worked out...

Can you please give me a hand here?

Thanks!

James
Happiness Engineer
Posted 1 year ago #

Follow this guide:

http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content

Razva
Member
Posted 1 year ago #

Well I've read that, but I can't understand if the define should go INSIDE the wp_initial_constants or not.

I've added the defines at the end of the wp-settings.php and it really didn't worked...

James
Happiness Engineer
Posted 1 year ago #

All you have to do is edit just the wp-config.php file.

Razva
Member
Posted 1 year ago #

Oh, so the defines should be done in wp-config, not in wp-settings?

James
Happiness Engineer
Posted 1 year ago #

Correct.

Razva
Member
Posted 1 year ago #

Ok, thanks a lot!

I'll get back if something goes wrong.

James
Happiness Engineer
Posted 1 year ago #

You're welcome!

Razva
Member
Posted 1 year ago #

Bummer!

Warning: array_keys() [function.array-keys]: The first argument should be an array in /home/remedia/public_html/wp-includes/theme.php on line 513

In the wp-config.php I've added, just before the ?>, the following lines:

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/public_html/files' );
define( 'WP_CONTENT_URL', 'http://www.re-media.ro/files');
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/public_html/files/plugins' );
define( 'WP_PLUGIN_URL', 'http://www.re-media.ro/files/plugins');
define( 'PLUGINDIR', $_SERVER['DOCUMENT_ROOT'] . '/public_html/files/plugins' );

I've tried:
/home/user/public_html/files
and
/public_html/files

Both settings generate the above error.

James
Happiness Engineer
Posted 1 year ago #

Unfortunately, though you can move the /wp-content/ directory, you can't change its name.

Razva
Member
Posted 1 year ago #

Oh, so the single thing I can do is move wp-content to files/wp-content? The idea was to move the entire wp-content to files in order to secure the site...

If I can move wp-content, but I can't change its name, than it's the same thing as leaving it where it is, as a hacker can take a fast look at the source code and see if he can find wp-content. He doesn't cares if wp-content is in /files or in the rootir...

So, as a final "product", I'm looking for a way to rename wp-content and "hide" the fact that the website is using WP, for security reasons.

James
Happiness Engineer
Posted 1 year ago #

That's correct. It's really more of a convenience thing (having the directory where you want it) than a security thing.

Unfortunately, too many plugins and themes rely on the directory being named /wp-content/.

postrophe
Member
Posted 1 year ago #

Hi,

How about making a copy of your invisible ( .htaccess ) file, and moving it to the root of your site. ( /public_html/your site name )

Pierre

Razva
Member
Posted 1 year ago #

@postrophe can you please be more explicit?

I was thinking at a symlink, but that will not fix the fact that WP will still post /wp-content/ in its source link...

postrophe
Member
Posted 1 year ago #

Hi,

My test site. Try to add ( wp-content/) in the address bar !

You find a blank page.

Pierre

Razva
Member
Posted 1 year ago #

Yeah, but if you look at the source, you can still find /wp-content/ there...

The idea here is to hide any "wp-trace" from the source. If an attacker knows what CMS are you using...you are extremely vulnerable.

So the story here is to completely hide "wp-content" from the source, not just move or restrict paths.

ClaytonJames
Member
Posted 1 year ago #

@postrophe

That just proves that there is a blank index.php file present in your wp-content directory. As there is with all default installations of WP 3.0

Everything else located in your themes, plugins, and uploads folders are as plain as day in your source code. They are web accessible directories that display your theme and uploaded content.

Razva
Member
Posted 1 year ago #

@ClaytonJames yup, that's my point...

So, as far as I can understand, there's no way to hide the wp-content from the source? Wooow...than at this chapter is "1-0" for Joomla...which I really don't need for this project...

postrophe
Member
Posted 1 year ago #

Hi,

Sorry I missed that " source code ".

I'v seen some tread on the net about that. Can not remember where.

Good luck.

Pierre

postrophe
Member
Posted 1 year ago #

@ClaytonJames

Everything else located in your themes, plugins, and uploads folders are as plain as day in your source code.

Yes

They are web accessible directories that display your theme and uploaded content.

No

( well, I'v left one directory of PDF's to be accessible )

Pierre

ClaytonJames
Member
Posted 1 year ago #

The idea here is to hide any "wp-trace" from the source. If an attacker knows what CMS are you using...you are extremely vulnerable.

I can't really think of any reason to go out of ones way to hide them if file and directory ownership and permissions are correct.

"Hacking" by script seems to make that an weak solution. If you're using wordpress (or any other known platform ) the core file and directory structures are also known to anyone who fabricates a tool to search for un-patched versions of vulnerable files. And yes, those could include searches for vulnerable plugins as well, but I think any real threat is more likely to come from weaknesses in plugings or themes from un-trusted sources - which have to be installed by the user. Or from errors and exploits in your ftp account, or server administration, than it is from the web. - Just my opinion, mind you.

ClaytonJames
Member
Posted 1 year ago #

They are web accessible directories that display your theme and uploaded content.

No

Yes, they are. The content (files) located in the "Themes", "Uploads", and "Plugins" directories are all accessible with any web browser. The directories may not be "browse-able" due to the presence of blank index files or "Options -Indexes" in an .htaccess file, but the files in them are viewable.

Here's an image from your uploads folder.

http://pierrecote.fondationcem.org/wp-content/uploads/2009/12/Old-Raman-road1.png

Razva
Member
Posted 1 year ago #

@ClaytonJames totally agree, if you think at "experienced attackers", not script kiddiez that just found a fresh exploit...

Like...a guy comes on the site and sais "hey, what CMS are they using". They take a quick look at the source, and in 5 seconds voila...they know that you are using WP.

If such a person will not see any trace of wp-content than it will - at least - think that the website is using a custom platform and let it go.

Agreed, for persuasive hackers, this thing is not a problem, as they can try to access a system-wide directory, like /wp-admin/ (that you can't rename), and see that you'r using WP.

So the basic idea is to make at least a "first impression" of security, for those who are more curious than they should.

Samuel B
moderator
Posted 1 year ago #

Sillybean
WordPress Hidden Gems: Hiding wp-config.php

Your configuration file contains your database username and password, so it’s important to keep this file secure. If you are installing WordPress in your web root directory (such as public_html), you can move your wp-config.php file to the parent directory — one that isn’t readable from a browser — without changing any settings. WordPress will automatically recognize the file’s new location.

to me this is way better than trying to move/hide folders

Razva
Member
Posted 1 year ago #

@Samuel B - as replied to ClaytonJames, yes, also this is a very good way to secure a WP site.

Still, the idea in this thread is to hide /wp-content/ from the source...and as far as I understood until now there's no way to do that.

postrophe
Member
Posted 1 year ago #

@ClaytonJames

You got me there. I didn't digg enough.

Hummm... I guess its a "first impression" of security, then.

Thanks, I'm waking up, now.

Pierre

ClaytonJames
Member
Posted 1 year ago #

if you think at "experienced attackers", not script kiddiez that just found a fresh exploit...

I don't think that at all. Anyone with ten minutes and ill intent can download a script and try to hack their way into any platform. It doesn't matter who they are. That sort of info flows like wine if you have a mind to look for it.

If such a person will not see any trace of wp-content than it will - at least - think that the website is using a custom platform and let it go.

It's not usually "someone" as much as automated scripting, that looks for entry points. No, not to make a first impression for anyone, but to learn how to properly secure what you have. An easy - if not exaggerated - example...

type your domain name into the address bar and add readme.html to it. Like this: //pierrecote.fondationcem.org/readme.html

Now there's something you can remove if you hadn't already thought of it. There's plenty you can do. Here is some basic info to get you started with things that you can control.

Hardening WordPress

And again, this is all just my opinion. The more you can do to protect yourself, the better off you are. Don't allow my thoughts to keep you from searching for a solution that achieves what you want. I would be interested to know what you might find.

Good luck to you!

Razva
Member
Posted 1 year ago #

@ClaytonJames - thanks for your tips! I've already removed readme.html hehehe, that's a nice thing to begin with :P

I'll keep searching for a way to achieve the "no /wp-content/ in source" goal and...who knows...maybe I'll find a way.

So, anybody...any ideas? :)

ms-studio
Member
Posted 1 year ago #

and what about the method explained here: http://www.nexwp.com/stories/how-to-protect-the-wp-content-folder-of-wordpress ??
it seems to work quite nicely.

WordPress.org

Forums

Change wp-content (29 posts)

Topic Closed

About this Topic

Tags

Code is Poetry