WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Installation of WordPress Different Directory for Security (14 posts)

  1. pchhetri
    Member
    Posted 10 months ago #

    Hello,

    I recently took a WordPress 3 essential training from lynda.com with Morten Rand-Hendriksen. And he suggested installing wordpress in a different subdirectory rather than installing in the root. I wanted to know how much of a difference does this make security wise or will it be more trouble down the road setting it up this way.

    The version he was using was 3.3.1 and I'm not sure with the new version (3.6) of wordpress installation in a subdirectory gives any security benefits i.e the security has been increased.

    I googled security for wordpress but installing it in a different directory didn't show. Other things such as db prefixes, htaccess modifications did show.

    Also similar question regarding the use of a throaway FTP account (another thing suggested by Morten) to upload files or is a single sFTP account sufficient?

    I haven't installed my site yet. Wanted some feedback before I do, I'm using dreamhost if that helps!

  2. leejosepho
    Member
    Posted 10 months ago #

    I haven't installed my site yet. Wanted some feedback before I do, I'm using dreamhost if that helps!

    I would suggest calling and asking them specifically about whether you can install WordPress as a primary domain in a sub-folder and still have a normal URL such as mysite.com. That is no problem whatsoever at BlueHost where I have my primary domain and two sub-domains all together (in their respective folders with names of my choosing) in a folder beyond "root" without having to do anything tricky at all.

  3. pchhetri
    Member
    Posted 10 months ago #

    I have asked them and I can do so in dreamhost. Do you have your site setup in such a manner installed in a subdirectory? Do you find it beneficial or have any problems that you face?

  4. leejosepho
    Member
    Posted 10 months ago #

    No problems whatsoever. I can go to my server account (via FileZilla and SFTP) and easily distinguish one installation from another...and please forgive me if necessary for again saying I *never* have to do anything tricky to make something work or to keep things working!

    Also, go slowly and look at various options thoughtfully while doing the installation. I would suggest *not* using the default username "admin" from the very beginning, and I think you might also be able to do some additional security-related things during installation by picking a non-default name for one thing or another...but I do not know any details there since I knew nothing about any of this back then.

    Edit: Where I see people having problems is when they try changing "WordPress Address (URL)" and/or "Site Address (URL)" *after* installation, and I have always stayed completely away those at Dashboard > Settings > General.

  5. pchhetri
    Member
    Posted 10 months ago #

    To clarify you have your sites installed at:
    root/subdirectory instead of
    root/ (as it normally would install)

  6. leejosepho
    Member
    Posted 10 months ago #

    I do not want to post my exact tree, but yes, it is something like this:

    root/folder/sites/site1 & site2 & site3 all together side-by-side inside the /sites/ folder.

    And as to security, that means no site's .htaccess file is in "root" since pointing for each site has been established elsewhere...and your host will help you with that initial setup that will all make complete sense after you see it and will be easy to maintain as you go along. Just a year ago, I had never even heard of FileZilla!

  7. pchhetri
    Member
    Posted 10 months ago #

    Is it possible to revert this setup if there is problems I face in the future? I assume I would just move all the files to the root directory and vice versa as well?

  8. leejosepho
    Member
    Posted 10 months ago #

    I have no need or desire to try, but I believe I could put any site anywhere today and make a couple of simple clicks at my Host cPanel (and possibly a change in wp-config) to simply re-point that site's URL and all would still be quite well. Then, and even though I have not been mentioning this since I do not want to introduce confusion here...

    My primary domain had first been installed in "root"...and then I later moved it (drag-and-drop, nothing more, and then a special .htaccess to re-point its URL) to its own sub-folder beside the other sites' folders so I could get rid of the confusion I was experiencing while navigating from one site to another in FileZilla. At least as I saw things at the time, my sub-domains were neat-and-orderly and my primary domain was not since some of the files in "root" did not belong to it exclusively.

  9. Ipstenu-DH
    DreamHost Rep
    Posted 10 months ago #

    There's no difference in security if you have WP in a folder or not.

    You can do it, or not, per these directions: http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

    Undoing is pretty much the same, just backwards.

  10. pchhetri
    Member
    Posted 10 months ago #

    I see (comment in article for 2011) that putting wordpress in a different directory would hide the login screen. I tried that on my computer via localhost but it didn't work...it just redirected it to my login screen. Is this feature removed in newer version of wordpress?

    Also could you provide me some details if possible as to why it won't make a difference in security?

  11. pchhetri
    Member
    Posted 10 months ago #

    Also if you guys could point me to articles that explain what I should follow to provide extra layers of security it would be greatful! There is just too many on the web and again idk which methods are current or outdated.

  12. Ipstenu-DH
    DreamHost Rep
    Posted 10 months ago #

    Also could you provide me some details if possible as to why it won't make a difference in security?

    Because view source will show me where the login screen is.

    If I view your source and see that the themes are in domain.com/wp/wp-content/themes then I know to go to domain.com/wp/wp-admin to log in.

    And yes, scanners can pick that up.

    Personally I only do this one: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

    Everything else is good passwords, good behavior, always upgrade. I wrote about it here this year: http://halfelf.org/2013/false-security/

  13. John Doe
    Member
    Posted 3 months ago #

    Hello

    While testing the live version of my website I discovered that a 'Login' link appears on my menu that I never added. When I clicked it (from a different computer but on the same Wi-Fi connection), I was taken to wp-login page. Whereas I was hoping this was the registration page for the users.

    My guess is that the root cause can be the WordPress Address (URL) and Website Address (URL) that can be found at Settings > General. In my case, it is the same: my domain.

    When I installed WordPress, (I think) it didn't ask me where to install it.

    Currently WordPress and my theme share the same directory on my C-Panel: www.

    When I went to Appearance > Widgets I discovered Meta widget was not active: it was just in the Available Widgets area.

    I still clicked on it and changed the properties to Inactive Widgets. Then I checked by logging out of my account but the Log In link still appears.

    Then I discovered that when I make it inactive, a copy of it goes to the Inactive Widgets are but the original remains the same.
    Should I delete the Meta Widget? Or is there a way that to manually remove it?

    Please help me solve this problem.

    Thanks.

  14. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 3 months ago #

    john doe, you have posted in a seven month old resolved topic which is unrealated to what you are asking about. please start a new topic for your question.

Reply

You must log in to post.

About this Topic