Grow your CSS skills. Land your dream job.

Installing wordpress in a subfolder to enhance security

  • # August 21, 2012 at 6:55 pm

    I want to install a wordpress blog to an existing site so that theURL of the blog can look something like this:

    http://mydomain.com/blog

    But based on the recommendations for securing a wordpress site, I have installed wordpress in a sub folder of “blog” so it looks something like this:

    http://mydomain.com/blog/subfolder
    Then I copied the index.php and .htaccess files from “subfolder” into “blog” and changed the index.php file from:

    require(‘./wp-blog-header.php’);

    . . . to this:

    require(‘./subfolder/wp-blog-header.php’);

    From my understanding, the reason for doing this is to make it difficult for “bad guys” to find the wordpress files. In other words I would have to login to wordpress via this URL:

    http://mydomain.com/blog/subfolder/wp-admin/
    . . . instead of
    http://mydomain.com/blog/wp-admin/

    However I noticed that when I type the above path ( http://mydomain.com/blog/wp-admin/)
    it redirects to http://mydomain.com/blog/subfolder/wp-admin/

    So the whole purpose of “protecting” my wordpress files is defeated. How do I prevent this redirection?

    Thanks

    # August 21, 2012 at 7:04 pm

    How is that more secure? Shouldn’t it be blog.domain.com?

    # August 21, 2012 at 7:09 pm

    I’m following the advice (security through obscurity) given in Chris Coyier’s book: Digging Into WordPress. There’s also more info about this in the codex: http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

    # August 24, 2012 at 1:07 am

    I wouldn’t worry about it. WordPress is pretty secure without doing crazy stuff like this ;)

    Something I like to do is move the wp-config.php file up a level so that it’s not in a publicly accessible directory, but if you’re installing WordPress in /blog anyway, moving it up a level means it’s still in a publicly available location.

    # August 24, 2012 at 12:12 pm

    Thanks Betzster, I decided not to stress over it anymore. On to literaly digging into wordpress : ) Lots to learn!

    __
    # August 24, 2012 at 11:09 pm

    The reasoning cited in the codex page you linked to (“not cluttering up the root directory”) makes for a good reason to move WP into its own folder, but “security” does not.

    “Security through Obscurity” (i.e., “hiding” things) is useless. In fact, it’s worse, because it gives people a false sense of security.

    If, on the other hand, you wanted to move WP above the site root, that would add to security. I don’t know enouogh about WP’s structure to say if that would cause any problems or not, but if you can safely move it to other directories, then it shouldn’t be problematic. You can achieve similar security by restricting access to whatever directory WP is in (e.g., via .htaccess).

    # February 20, 2013 at 9:33 pm

    The first thing I like to do with a new site is get up an index.html with the simple info like, title and description so that crawlers can grab some information in advance of site launch. Or if a client has a live site up, you can leave it there while you make a new one. So the sub folder is great for that and keeping the root clean.

    3 sites I’ve built in the last year have ended up with viagra all over them, so I don’t have evidence, but I like to put the WP in a rumblebumblecrazyblackmothrainbow type of style like Chris suggests now. It’s pretty easy(except that every time I do it I have a heart attack and mess it up) – so you might as well. I could easily search out folders on a server with key words like wordpress or wp and find those files, so that means people who really want to find them definitely can.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".