WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Renaming or Moving WP-Admin & WP-Content Effects (7 posts)

  1. Brijesh
    Member
    Posted 3 months ago #

    I'm still learning WP. Previously I had done a 1-click installation of WP. Everything worked fine. But now, I'm planning to install it manually.

    What are the Pros and Cons of these?

    1 Renaming wp-admin

    2 Renaming wp-content
    (I have heard some plugins won't work. Could I maybe just rename wp-content in the plugin code?)

    3 Moving wp-content or wp-uploads

    Thanks.

  2. What are the Pros and Cons of these?

    There are no pros about this but the con is that everything will break fantastically if you attempt to rename wp-admin.

    I'm sure I will regret asking... ;) What are you attempting to accomplish by renaming those directories?

  3. Brijesh
    Member
    Posted 3 months ago #

    Oops, I said I wanna rename wp-admin. My bad. Just wp-content. And maybe move (or even rename if possible) wp-uploads.

    My aim is to increase site security and prevent bot attacks.

    When it comes to securing a WP site most talk about renaming wp-content. So I was wondering whether it would be wise to proceed with it.

    To make it simple, I'd say I found out these:

    Pros
    1 Enhances security
    2 Prevents access to the uploads folder (www.yourdomain.com/wp-content/uploads/)

    Cons
    1 Future updates of WP will fail (procedure may have to be repeated every time an update is made.)
    2 Update of plugins will fail, etc.

  4. bemdesign
    Member
    Posted 3 months ago #

    Under normal server situations there is minimal security improvements by renaming WordPress folders - and you definitely don't want to rename the wp-admin folder! Renaming folders will also have no effect at all on automated bot attacks. The best solution to security is to use strong passwords, use SSL, keep your local machine secure and up to date, keep your server secure and up to date (including making sure WordPress is up to date and ensuring you're using good file permissions).

    All this being said, you can put the wp-content folder above the "root" site folder for further protection - see this: http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content_folder

    As far as protecting against bot attacks I would suggest not using an account named "admin", using a security plugin to limit login attempts and even using a .htaccess rewrite rule to put your login page under a different routing path than normal. There are some security plugins that can provide such capabilities such as this one.

  5. Brijesh
    Member
    Posted 3 months ago #

    okay, this was helpful! thanks so much.

  6. Edit: And my reply is late by an hour. ;)

    Give this a read about moving wp-content

    http://codex.wordpress.org/Editing_wp-config.php#Moving_wp-content_folder

    Just keep in mind that some themes and plugins are less compliant than others and they may break when you do this.

    My aim is to increase site security and prevent bot attacks.

    I was really afraid you'd reply with that. It's 100% not the case and doing that doesn't make anything more secure or get bots to not pound on your site. There's 2 separate items here.

    *Pulls out soapbox and get's on top*

    1. Security

    The security is inherent in the code that gets called and executed. Moving it or obssuring it doesn't accomplish anything because the code is still being executed and if it is prone to being exploited then that's the problem that needs to be addressed. Moving that code doesn't do anything at all for that.

    2. Denial of service

    Give this a read about the brute force options and suggestions on the security front.

    http://codex.wordpress.org/Brute_Force_Attacks

    For DDoS: The short of it is that WordPress is an application sitting on a web server and if that web server is flooded with requests then it will fall down. That's not something that an application can do or mitigate.

    Now at the server level you may be able to do something about that. You can use a CDN that includes automated tests to see if the request is via a Real Person™ before the request gets to your actual server. That's one way but what I'm getting at is that you need to have a strategy for dealing with those botnets at that level.

    Moving the wp-content isn't it because if the botnets detect WordPress (and there's lots of ways to do that) they'll hammer your site anyway even if you move things around that way.

    *Steps off of soapbox*

    But give that first link a read, it may do what you're attempting to accomplish. ;)

  7. Brijesh
    Member
    Posted 3 months ago #

    Edit: And my reply is late by an hour. ;)

    no problem. at least you replied.

    I was really afraid you'd reply with that.

    haha... it is probably every wp newbie's question.

    yes, i'm going to go through the complete 'hardening wp' guide. but i'm someone who always wants to go the extra mile. :)

    thanks for all the tips and clarifications jan. they were really helpful.

Reply

You must log in to post.

About this Topic