Hide part of URL?

[John]

I installed WordPress in a sub directory (let’s say it’s in a folder called wordpress), moved the necessary files to the root.
But when you have images on the site, and you right click and view image you see the full url. Like: http://www.mysite.com/wordpress/mypic.jpg
What do I need to do to remove that part of the url from showing, so it should be like: http://www.mysite.com/mypic.jpg

[__]

actually put the image in the root…?

You can’t “not show” the actual URL. If you provide a URL that is not the real URL, the browser won’t be able to find the image.

[John]

Just wondering how Chris Coyier does it. When I checked one of the images, it points to: http://cdn.css-tricks.com/wp-content/uploads/2014/03/ie8-table.png for example.
Maybe he could do a screencast on wordpress security.

[__]

That’s a content delivery network – the image really is coming from there. It might not be that exact physical file path (I don’t know how he has it set up; I assume there is load balancing and other stuff going on), but the point is, that is the correct URL to ask for the image.

I suppose you could use mod_rewrite to redirect image requests to somewhere else. But if there’s no need to do so, it’s just extra latency. Do you just want “pretty URLs” for your images? or is there some problem that needs to be solved?

[__]

That’s a content delivery network – the image really is coming from there. It might not be that exact physical file path (I don’t know how he has it set up; I assume there is load balancing and other stuff going on), but the point is, that is the correct URL to ask for the image.

I suppose you could use mod_rewrite to redirect image requests to somewhere else. But if there’s no need to do so, it’s just extra latency. Do you just want “pretty URLs” for your images? or is there some problem that needs to be solved?

[John]

Well I read this: http://premium.wpmudev.org/blog/how-to-change-the-default-wordpress-uploads-folder/
Well it did change the folder name, but not sure how to drill it down one folder.
This is what I have: define(‘UPLOADS’, ‘media’);

[__]

okay… are you actually trying to change which directory you save the images in, or just what URL you use to retrieve them?

[John]

Yes I’m trying to change the directory that the media gets uploaded to through the dashboard. I was reading Digging into WordPress, and it says you should install WP in a sub folder like: root/wordpress
Then move the index and I believe the .htaccess file to the root, then adjust the permalinks. I’ve already have done this for my sister’s site, so I know how to do that.

So if someone is trying to hack your site and are trying to get to the login page, they could just do http://www.mysite.com/wp-admin. But because WP is not in the root, then they won’t get to the login page. But if you have images on your site, then they can see the folder that WP is installed in, because it would read like http://www.mysite.com/wordpress/mypic.jpg then they know where it’s located. So I’m trying to have the images uploaded in to the root folder instead. Just for extra security for WP.

I’ve had several attempts at people trying to get to the login in page, but they don’t find it. I’ve also set the redirect for so if they go to http://www.mysite.com/wp-admin, it redirects them the 404 page. I do use a plugin for security and just block them. But trying to add extra security. Hopefully this makes sense.

[__]

Ahh, I see. I don’t know anything about this specifically (I don’t use wordpress). I’m sure someone here could help you out with how to set it up in a subdirectory, though.

What I can tell you, however, is that “Security through Obscurity” is not security at all.

It is analogous to a homeowner leaving the rear door open, because it cannot be seen by a would-be burglar.

—wikipedia

(Of course, it might confound stupid/casual attackers -I’ve had people pry my car door open without thinking to check if it was even locked in the first place, for example- but that doesn’t mean that “not knowing” it was unlocked offered any security.)

With wordpress, it would be far more productive to:

• keep updated with the most current version
• don’t have a user #0 or #1 (if possible with WP, I don’t know)
• use a passphrase instead of a password (8-10 words, not a quote, and use capitalization and punctuation)
• keep up-to-date on WP security vulnerabilities
• use only highly trusted/ thoroughly tested plugins (or, no plugins at all)
• not allow file uploads (at all if possible; certainly never from publicly accessible pages)
• keep all forms (except the login form, of course) on password-protected pages; make sure all forms use unique tokens to identify each submission (other security precautions are good too, but tokens are the most important safeguard)

And look at your server as well:

• run a current version of PHP (absolutely no less than 5.2 with the most recent security patches; should be 5.4 or better)
• make sure magic_quotes_gpc, register_globals, safe_mode, and register_long_arrays are always turned off
• do not use a shared host (use a private server, VPS, or “instance”-based service -e.g., AWS, linode, digital ocean- from a trusted provider)
• [after setup] make sure your database user has limited permissions – should be INSERT + UPDATE only (I don’t know if this would break anything on WP, but it I would hope it doesn’t. At the very least, the DB user should never have permissions like CREATE or DROP or user-related permissions. Ideally, the user would have only CALL permission, but I know that wouldn’t work with WP.)

Another thing that would be good (but might not work with WP) would be to install everything not in a subdirectory, but in a directory “above” the document root, so it is completely inaccessible from the web. Make only the index page and static resources (images, stylesheets, scripts, etc.) available from the web.

Something you might look at is which WP directories should never need to be accessed directly -i.e., only accessed internally by other WP scripts- and deny all web access to those directories.

If you have any questions please ask, but I’m afraid I don’t have anything more WP-specific.

edit

final thought:

I’ve also set the redirect for so if they go to http://www.mysite.com/wp-admin, it redirects them the 404 page.

If you’re trying to confuse an attacker, don’t leave helpful error messages. If no legit user will ever go to /wp-admin to log in, then put a “dummy” login page there that only collects UA strings and IP addresses, bans them, and then returns a “wrong password, please try again” page.

[Author]

Posts