The Lodge is members-only design/dev videos and Office Hours.

Next Office Hours Session: "Implementing an SVG Icon System" Nov 30 - 6:00 PM Eastern

Installing wordpress in a subfolder to enhance security

  • # August 21, 2012 at 6:55 pm

    I want to install a wordpress blog to an existing site so that theURL of the blog can look something like this:

    But based on the recommendations for securing a wordpress site, I have installed wordpress in a sub folder of “blog” so it looks something like this:
    Then I copied the index.php and .htaccess files from “subfolder” into “blog” and changed the index.php file from:


    . . . to this:


    From my understanding, the reason for doing this is to make it difficult for “bad guys” to find the wordpress files. In other words I would have to login to wordpress via this URL:
    . . . instead of

    However I noticed that when I type the above path (
    it redirects to

    So the whole purpose of “protecting” my wordpress files is defeated. How do I prevent this redirection?


    # August 21, 2012 at 7:04 pm

    How is that more secure? Shouldn’t it be

    # August 21, 2012 at 7:09 pm

    I’m following the advice (security through obscurity) given in Chris Coyier’s book: Digging Into WordPress. There’s also more info about this in the codex:

    # August 24, 2012 at 1:07 am

    I wouldn’t worry about it. WordPress is pretty secure without doing crazy stuff like this ;)

    Something I like to do is move the wp-config.php file up a level so that it’s not in a publicly accessible directory, but if you’re installing WordPress in /blog anyway, moving it up a level means it’s still in a publicly available location.

    # August 24, 2012 at 12:12 pm

    Thanks Betzster, I decided not to stress over it anymore. On to literaly digging into wordpress : ) Lots to learn!

    # August 24, 2012 at 11:09 pm

    This reply has been reported for inappropriate content.

    The reasoning cited in the codex page you linked to (“not cluttering up the root directory”) makes for a good reason to move WP into its own folder, but “security” does not.

    “Security through Obscurity” (i.e., “hiding” things) is useless. In fact, it’s worse, because it gives people a false sense of security.

    If, on the other hand, you wanted to move WP above the site root, that would add to security. I don’t know enouogh about WP’s structure to say if that would cause any problems or not, but if you can safely move it to other directories, then it shouldn’t be problematic. You can achieve similar security by restricting access to whatever directory WP is in (e.g., via .htaccess).

    # February 20, 2013 at 9:33 pm

    The first thing I like to do with a new site is get up an index.html with the simple info like, title and description so that crawlers can grab some information in advance of site launch. Or if a client has a live site up, you can leave it there while you make a new one. So the sub folder is great for that and keeping the root clean.

    3 sites I’ve built in the last year have ended up with viagra all over them, so I don’t have evidence, but I like to put the WP in a rumblebumblecrazyblackmothrainbow type of style like Chris suggests now. It’s pretty easy(except that every time I do it I have a heart attack and mess it up) – so you might as well. I could easily search out folders on a server with key words like wordpress or wp and find those files, so that means people who really want to find them definitely can.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

There's a whole bunch of content on CSS-Tricks.

Search for Stuff   •   Browse the Archives

Get the Newsletter ... or get the RSS feed