Give it a go on a couple of files and you will soon have your answer,
gakukaku.
You will have to globally modify all the php script references. It’s not a large task because apart from stripping the “wp-” from the file names, all you have to do is remove the leading “wp-” from all references to php files.
Beware though, that this will cause additional work every time there is a WordPress upgrade. Also, any plugins you want to use will need to be modified too.
In short, don’t do it unless you’re comfortable spending time modifying and debugging php code.
To remove the wp- prefix from files and directories will require non-trivial modifications to most of the core logic. You’d have to re-apply your changes with every upgrade.
New rule: Never ask Beel what would happen if I deleted my operating system files…
ongakukaku, a question to ask in return is, why do you want to do this?
Yeah, I don’t get the point of this, especially since none of the files are usually accessed by the public.
What about this:
Since WordPress is so popular, it’s pretty obvious what the login page is called for instance. You may not want (as a blog admin) to make it so easy for crackers to find your particular login page.
That would be one way of doing it. Same goes for all the admin pages too.
pizdin_dim: what you propose is security through obscurity, and engenders a false sense of security.
If you want to restrict access to your wp-login.php file, use .htaccess and HTTP basic auth. Or restrict access by IP address.
Ah, K, but renaming the file and changing back is not the same as restoring an operating system. No harm no foul, renaming is not deleting. π
“Is it safe to stick my finger in the light socket?”
“Try it and see. You’ll find the answer shocking.”
I change things all the time in WP to see if it’ll work as I want and put it back if it doesn’t (doesn’t everybody?). Back in the beta days I was renaming the files to test alternative files I had written. Changing back is then much easier than re-editing the original file that has been hacked. I still have files in my theme directory called commentsORIG.php, singleORIG.php, etc.
Skippy,
security through obscurity, and engenders a false sense of security.
How so? Care to elaborate?
For sure Beel, but stating that wouldn’t have been funny. ;)
Taking your money out of your wallet and hiding it in your mattress. It’s hidden, but not very secure – or in this case perhaps, from one mattress to another.
pizdin_dim, try this:
Rename all file/directories, then make the modifications in the source files, to remove the wp_ from everything.
Next, go to the login page. Uh, there just went your “security”.
Renaming the files doesn’t actually secure them. Someone can still guess the file names.
Even if you remane wp-login.php to something like xu-5h+4.php. WordPress still needs to know the login file name so that it can authenticate you. So, you rename your wp-login.php file. Joe BadGuy simply browses to yoursite.com/wp-admin/ — bingo, he’s redirected to your login page.
So, say you take the time to rename your entire wp-admin directory, and adjust the core WP code to suit. Do you ever log into your WordPress from a public computer; or from a public wireless network? There goes your security through obscurity, as anyone could be sniffing your traffic to record where you go.
And even these don’t really protect you. I assume you’re hoping to “hide” the fact that you’re running a WordPress blog, in order to hopefully deflect automated attacks against WordPress blogs. You’ll need to edit your RSS files, since they announce that they were generated by WordPress. And you’ll need to remove all mention of WordPress from all your template files.
And you’ll need to do this every time you upgrade.
It really doesn’t gain you any real security. In reality, yes, you are less likely to be attacked if you rename your files, because most auotmated attack tools are built to work on a specific target. But someone could easily write a script to try to load every single possible combination of letters and numbers, hoping to stumble upon your renamed login page.
Next, go to the login page. Uh, there just went your “security”.
Yes, that’s right. But only I will know the new page. Everyone else will be forced to guess. And that will deter the beginners.
That has been proven in the past and it’s still valid today.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
Next, go to the login page. Uh, there just went your “security”.
How so? If you wish to proceed past the login page, you must still enter your username and password. I don’t see the “security” going anywhere. It seems to be quite functional.
