WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Installation of WordPress Different Directory for Security (12 posts)

  1. pchhetri
    Member
    Posted 7 months ago #

    Hello,

    I recently took a WordPress 3 essential training from lynda.com with Morten Rand-Hendriksen. And he suggested installing wordpress in a different subdirectory rather than installing in the root. I wanted to know how much of a difference does this make security wise or will it be more trouble down the road setting it up this way.

    The version he was using was 3.3.1 and I'm not sure with the new version (3.6) of wordpress installation in a subdirectory gives any security benefits i.e the security has been increased.

    I googled security for wordpress but installing it in a different directory didn't show. Other things such as db prefixes, htaccess modifications did show.

    Also similar question regarding the use of a throaway FTP account (another thing suggested by Morten) to upload files or is a single sFTP account sufficient?

    I haven't installed my site yet. Wanted some feedback before I do, I'm using dreamhost if that helps!

  2. leejosepho
    Member
    Posted 7 months ago #

    I haven't installed my site yet. Wanted some feedback before I do, I'm using dreamhost if that helps!

    I would suggest calling and asking them specifically about whether you can install WordPress as a primary domain in a sub-folder and still have a normal URL such as mysite.com. That is no problem whatsoever at BlueHost where I have my primary domain and two sub-domains all together (in their respective folders with names of my choosing) in a folder beyond "root" without having to do anything tricky at all.

  3. pchhetri
    Member
    Posted 7 months ago #

    I have asked them and I can do so in dreamhost. Do you have your site setup in such a manner installed in a subdirectory? Do you find it beneficial or have any problems that you face?

  4. leejosepho
    Member
    Posted 7 months ago #

    No problems whatsoever. I can go to my server account (via FileZilla and SFTP) and easily distinguish one installation from another...and please forgive me if necessary for again saying I *never* have to do anything tricky to make something work or to keep things working!

    Also, go slowly and look at various options thoughtfully while doing the installation. I would suggest *not* using the default username "admin" from the very beginning, and I think you might also be able to do some additional security-related things during installation by picking a non-default name for one thing or another...but I do not know any details there since I knew nothing about any of this back then.

    Edit: Where I see people having problems is when they try changing "WordPress Address (URL)" and/or "Site Address (URL)" *after* installation, and I have always stayed completely away those at Dashboard > Settings > General.

  5. pchhetri
    Member
    Posted 7 months ago #

    To clarify you have your sites installed at:
    root/subdirectory instead of
    root/ (as it normally would install)

  6. leejosepho
    Member
    Posted 7 months ago #

    I do not want to post my exact tree, but yes, it is something like this:

    root/folder/sites/site1 & site2 & site3 all together side-by-side inside the /sites/ folder.

    And as to security, that means no site's .htaccess file is in "root" since pointing for each site has been established elsewhere...and your host will help you with that initial setup that will all make complete sense after you see it and will be easy to maintain as you go along. Just a year ago, I had never even heard of FileZilla!

  7. pchhetri
    Member
    Posted 7 months ago #

    Is it possible to revert this setup if there is problems I face in the future? I assume I would just move all the files to the root directory and vice versa as well?

  8. leejosepho
    Member
    Posted 7 months ago #

    I have no need or desire to try, but I believe I could put any site anywhere today and make a couple of simple clicks at my Host cPanel (and possibly a change in wp-config) to simply re-point that site's URL and all would still be quite well. Then, and even though I have not been mentioning this since I do not want to introduce confusion here...

    My primary domain had first been installed in "root"...and then I later moved it (drag-and-drop, nothing more, and then a special .htaccess to re-point its URL) to its own sub-folder beside the other sites' folders so I could get rid of the confusion I was experiencing while navigating from one site to another in FileZilla. At least as I saw things at the time, my sub-domains were neat-and-orderly and my primary domain was not since some of the files in "root" did not belong to it exclusively.

  9. Ipstenu-DH
    DreamHost Rep
    Posted 7 months ago #

    There's no difference in security if you have WP in a folder or not.

    You can do it, or not, per these directions: http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

    Undoing is pretty much the same, just backwards.

  10. pchhetri
    Member
    Posted 7 months ago #

    I see (comment in article for 2011) that putting wordpress in a different directory would hide the login screen. I tried that on my computer via localhost but it didn't work...it just redirected it to my login screen. Is this feature removed in newer version of wordpress?

    Also could you provide me some details if possible as to why it won't make a difference in security?

  11. pchhetri
    Member
    Posted 7 months ago #

    Also if you guys could point me to articles that explain what I should follow to provide extra layers of security it would be greatful! There is just too many on the web and again idk which methods are current or outdated.

  12. Ipstenu-DH
    DreamHost Rep
    Posted 7 months ago #

    Also could you provide me some details if possible as to why it won't make a difference in security?

    Because view source will show me where the login screen is.

    If I view your source and see that the themes are in domain.com/wp/wp-content/themes then I know to go to domain.com/wp/wp-admin to log in.

    And yes, scanners can pick that up.

    Personally I only do this one: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

    Everything else is good passwords, good behavior, always upgrade. I wrote about it here this year: http://halfelf.org/2013/false-security/

Reply

You must log in to post.

About this Topic