iThemes Security (formerly Better WP Security)
[Plugin: Better WP Security] Purpose of renaming wp-content? (10 posts)

  1. dukejames27
    Posted 3 years ago #

    I see information about how to rename the 'wp-content' directory and I know Better Wp Security has the option but I don't understand why.

    What is the purpose of hiding the 'wp-content' directory?

    Does renaming the folder help hide the fact that the site is using WordPress? When I enter http://domain.com/wp-content , I'm provided a blank page. Is this blank page a hint that it's using WordPress?



  2. As a lot of vulnerabilities are in known plugins and themes many bots look directly for the known files, typically in wp-content. Changing wp-content keeps these files away from such bots.

  3. dukejames27
    Posted 3 years ago #

    Thanks for the response bit51.

    If a bot can be used to scan for specific files within the "wp-content" directory, couldn't it also be used to scan for the same files throughout an entire site? If the files can indeed be pulled from "wp-content", what's preventing the bot from finding the same files within say, "/renamed-content"?


  4. Mcoroklo
    Posted 3 years ago #

    It is all about making the barrier higher. This will stop some automatic bots, but with the right skills and programs you can probably still figure out the renamed content.

    Often security is raising the barrier so high, people won't try :)

  5. dukejames27
    Posted 3 years ago #

    Thanks Mcorokio for the response!

    I can understand the security by obscurity. If a person can't find the directory, they may assume the site isn't using WordPress and move on. If they do figure that the site is using WordPress, the attacker may feel it's too difficult or not worth the time discovering what the 'wp-content' directory has been renamed too. And if the attacker really wanted to discover this, they would anyhow.

    I also think of it like hiding a wireless SSID. For a business I wouldn't bother because the broadcasting travels with the laptop. For a home, I might do it however it's still discoverable when in use.

    Thanks for the information!

  6. dukejames27
    Posted 3 years ago #

    That's odd, there's no "Resolved" checkbox at the bottom of the page. Anyhow, this is resolved.

  7. dukejames27
    Posted 3 years ago #

    When viewing the source of the homepage, I can easily see the name of the 'wp-content' folder however, I can also see the name of the theme.

    Since I can see the name of the theme, I could assume that one directory up is the renamed 'wp-content' directory.

    When the contact form plugin is activated, its path is listed. Perhaps other plugins would be displayed as well?

    Finally, I can see the following jquery line.


    I can see how renaming it is helpful against bot scans, but if I can figure out the renamed directory within 15 seconds of viewing the source, I can see how that's a security risk. I wonder if WordPress will do anything in the future to secure this information.

  8. Hi duke,

    The "resolved" is missing as I changed the status to "not a support question" meaning nothing is broken ;)

    One suggestion to help obscure your theme is to use a minifier such as w3 total cache. If you view the source of bit51.com you'll see what I mean.

  9. unavailable
    Posted 3 years ago #

    How do I restore the name "wp-content"? Thank you.

  10. unavailable
    Posted 3 years ago #

    Looks like I found the answer: Comment two new lines in wp-config.php

    Thank you :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.