If you install content of wordpress in another path ( not wp-content ) ErrorDocument or Plugin Exploit Rules doesn’t apply.
It is not recommended that you change the wp-content folder path since trying to hide things will never be a real security measure. It would be a very simple thing to find the new wp-content folder name so there is really no point in changing the wp-content folder name at all.
The most effective security approach is an Action Security Approach based on bad actions.
bad hacker X does bad action Y and Z is the result = Forbidden/blocked/etc.
BPS uses WordPress Constants for the wp-content directory/folder WP_CONTENT_DIR and all other WordPress directories/folders. If you are doing some other method of hiding the wp-content folder that is not using a WordPress Constant then BPS will not be able to detect that directory/folder location. You should always use WordPress Constants if you are going to change the normal/standard WordPress structure/architecture.
If you are using WordPress Constants and you use the BPS AutoMagic buttons then BPS will find and write the correct new folder name/path that you have created for your wp-content folder.
Perhaps, I’m not very clear. I’m already used WP_CONTENT_DIR at wp-config.php but when I use BPS AutoMagic buttons the secure.htaccess in bulletproof-security\admin\htaccess contains “wp-content” instead or WP_CONTENT_DIR f.e. ErrorDocument or Plugin Exploit Rules.
oh ok now I understand what you are saying. Yes, you are correct that file does contain the literal “wp-content” folder name. It is only a demo/temporary file. When you use/click the AutoMagic buttons that demo/temporary file is overwritten with your actual website’s real information.
If clicking the Create secure.htaccess file button does not overwrite this demo/temporary file then there is a permissions or Ownership issue/problem going on where BPS is not allowed to write to this file due to file permission or Ownership restrictions on your Server. Check the Edit/Upload/Download page and you should see this – File Open and Write test successful! The secure.htaccess file is writable. If you see an error saying that the file is not writable then post that error.
But, I don´t think so because I can see the literal “wp-content” in “options.php”. I think that this is the reason why it doesn´t work me f.e. log 403 errors.
I check it ( Edit/Upload/Download page ) and I can see this: “File Open and Write test successful!”.
Oh yeah actually you are correct. We left wp-content in those particular .htaccess file writing areas for some reason. I believe it caused the write process to break for everyone else who is using the standard/normal WordPress wp-content folder path/name. You will need to manually change this in your root .htaccess file.
Thanks, but I suppose that this bug will be solved in the next release.
We will have to add an additional option for folks who have decided to change their wp-content folder name so that this does not break everyone else’s websites during the .htaccess file writing process. 😉 This is the only area in BPS where we are using the literal wp-content path. Everywhere else the WP_CONTENT_DIR constant is used.
Actually this has been completed by someone already. It will be added/included in BPS .48.4.
I actually just created a forum account to ask a question along similar lines to this. I installed Better WP Security and used the change wp-content folder option (unfortunately no option given to undo). after searching for posts and articles about if that was a feature that was worth the complications, with no results, this answers my question. Thanks. 🙂 Luckily I did find a way to (hopefully) manually undo the change. For anyone else who needs to do this the link is here:
Luckily I haven’t actually added any content on this install yet.
Great thanks! The whole concept of hiding/changing the wp-content folder name is silly because if a cURL scan is done on the site searching for a bit of code that has a known vulnerability or exploit then whatever the new name for the wp-content folder is will be displayed in that cURL scan. Silly. 😉
- The topic ‘wp-content in htaccess’ is closed to new replies.