Thanks to the open source nature of WordPress, anyone – including hackers – can look up the typical file structure of a WordPress website and know exactly where to start an attack.

Fortunately, rearranging your core WordPress file structure is one method you can employ from your security arsenal to combat hacks and bolster your site’s defenses.

So in this post, I’m going to walk you through two ways you can customize your file structure for single and Multisite installs, as well as show you the code you need to bring it all together.

Don’t forget: Our expert support heroes are ready and waiting – 24/7, rain or shine – to help you with any issues you may have along the way and for free!

All About That Backup

Since customizing your file structure can break your site in one swift move if you’re not careful, creating a backup ensures you can restore your site to its former glory in case things go south.

You can backup just your files only if you’re pressed for time, but an unabridged, brimming backup is best. You have been forewarned.

For details on how to backup your site, check out some of our other posts:

In the event that your files can’t communicate with your database to display your site, error messages are printed on the front end of your site with some sensitive information. It can be helpful to get rid of this by turning on error logging so any issues are discreetly printed in a log only you can access.

For details on how to disable front end error reporting and enabling your error log, check out our post Debugging WordPress: How to Use WP_DEBUG.

Speaking of front-end errors, re-organizing your file structure takes your site offline for a few minutes while you complete the process so setting up a temporary redirect (302) can help keep your visitors (and Google!) happy while you switch things up. You can check out our post Creating Redirects for WordPress (and the Best Plugins for the Job) for details on 302 redirects and how to set them up.

How to Change WordPress File Directory

  1. Creating a New Directory
  2. Updating the URL for Your Files
  3. Moving Your Files
  4. Editing Your Index Page
  5. Further Customizing Your File Structure

 

The first kind of change you can make is to move all but two files away from the root of your site to a separate directory. Typically, doing this means you would have to change your site’s URL from www.your-site.com to something similar to www.your-site.com/core-files/, but it’s possible to keep your site’s address the way it is while still moving your files into a directory.

Hackers would assume by your URL that all your files are located in the root of your install, but they quickly realize this isn’t the case when they aren’t able to hack your site. Since they won’t be able to easily guess where your files are located, they’re more likely to stay untouched.

1. Creating a New Directory

Start by creating a new directory in the root of your site. You can choose to do this with SSH and the command line, FTP with a program such as FileZilla or through your control panel’s file manager.

In cPanel, go to Files > File Manager after logging in and locate your site’s files. In the root, click the Folder button at the top of the page and enter a name for your new directory.

The new folder pop-up in cPanel.
Create a new directory for your core files in cPanel.

The idea here is to name your new folder in a way that isn’t obvious. For example, don’t name your new directory “wordpress,” “wp-core,” your site’s name or something similar. Try to pick a name that wouldn’t be easily guessable for hackers, but that’s still clear to you.

When you’re done, click Create New Folder. You should see it listed among your other files. Before you move any of your files, you need to update your WordPress address which tells your site where your core files are located.

2. Updating the URL for Your Files

Log in to your WordPress site if it’s a single install and go to Settings > General in your admin dashboard. Add a slash to the end of your site’s address in the WordPress Address (URL) field, followed by the name of the directory you created. Don’t add a trailing slash at the end.

The general settings page.
Change your WordPress Address to include your new directory.

Click Save Changes at the bottom of the page when you’re done. Your site should be unavailable now, but don’t panic since that’s a normal part of the process.

If you have installed a Multisite network, you won’t be able to update your WordPress address from your super admin dashboard. You need to hard code it into your wp-config.php file instead.

You could also choose to do this for single installations as well, but keep in mind that you won’t be able to update the URL in your dashboard afterward.

Open your wp-config.php file and add the following lines toward the bottom of the page, but before the /* That's all, stop editing! Happy blogging. */ line:

Loading gist 55b8b2148f7931895c565d134ca08ec4

Just be sure to replace application with the actual name of the folder you created. If your domain doesn’t have an SSL certificated installed, you also need to replace the https portion in both lines to http.

Save your changes and ignore any error messages or the general unavailability of your site for now. It’s time to move your core files.

3. Moving Your Files

In cPanel, go back to your file manager and the root of your site. select all your files and folders other than the new folder you just created a bit earlier. Once they’re all highlighted, drag and drop them into your new directory.

Files are dragged and dropped to the new directory.
Drag and drop all your core files into your new folder.

Go into that new folder and select your .htaccess file. Click the Copy button at the top of the page and edit the file path in the pop-up to reflect the root of your install. Click Copy File(s).

If you don’t see it on the list, click on Settings at the top right of the page and click the checkbox to show hidden files, then save. If you see it in the root of your install, move it and any other hidden files to your new directory.

Once your .htaccess file has been successfully copied back to its original location, copy your index.php file in the exact same way.

4. Editing Your Index Page

In order for your site to reflect your new file path, you need to update your index.php file. Select the one that you copied to the root of your site and click on the Edit button at the top of the page.

Find these lines toward the bottom of the file:

Loading gist b4d7bd9a78c23b3560bfc85d3dec4db7

Update /wp-blog-header.php to include your new directory. For example, if your new folder is called application, you would change the file path to this: /application/wp-blog-header.php.

Finishing Up

Save your changes and log back into your site’s dashboard. The URL you visit should include your new directory.

For example, if your new directory is called application, you would visit www.your-site.com/application/wp-admin or www.your-site.com/application/wp-login.php.

Go to Settings > Permalinks and click the Save Changes button at the bottom of the page. This updates your .htaccess file automatically so all your posts still display when a user visits them.

You can also check out the Giving WordPress Its Own Directory in the WordPress Codex if you would like some more information.

5. Further Customizing Your File Structure

If you really want to go all out and further customize the folder structure, you certainly can. You just need to add a bit of code to your wp-config.php file along the way.

There are a couple of critical rules you need to keep in mind before you go ahead any make any further customizations:

  1. You can’t move your wp-includes folder, other than in a new directory with all your files and folders as shown above.
  2. You can’t move your uploads folder. It must stay directly in the /wp-content/uploads/ folder path, but you can rename it.

Here are the folders you can further customize the locations of with some code:

  • wp-content
  • plugins
  • uploads (rename only)

When changing the wp-content or plugins folders, be sure to add the necessary code above the /* That's all, stop editing! Happy blogging. */ line.

You can create another folder just as you did earlier in the post and place your wp-content folder in it. Once you do that, edit your wp-config.php to include this code above the “happy blogging” line:

Loading gist a01605b9f61e417af3690d9b323686e4

Replace both instances of directory with the actual folder name you created to house the wp-content folder. Also, replace your-site.com with your real domain name. If you don’t have an SSL certificate installed, be sure to switch https on the second line with http.

You can also create a different directory to put your plugins folder inside. When you make that change, you can add this code to your wp-config.php file:

Loading gist 68c12e87629cd7ddc6d12f77ef845e8d

Be sure to replace new-folder in both lines with the actual name of the new folder you created. Also, don’t forget to update your-site.com with your real domain and change https to http if you don’t have an SSL certificate installed.

To rename the uploads folder, look below the “happy blogging” comment and find these two lines:

Loading gist af1875f77e628c0d619fe327e6a5d677

Above the require_once(ABSPATH . 'wp-settings.php'); line, add the following:

Loading gist 6b2f2fc7bd5c65d0e8e141748ea0bb96

Change media to whatever you want your uploads folder to be called. You should end up with something similar to this:

Loading gist b9f341a24459cf65823ea1d20be22dac

Save your wp-config.php file when you’re done. If you did decide to rename your uploads folder, now you need to update name the actual folder.

In cPanel, go to /wp-content/uploads and double click on your uploads folder on the list. You should be able to enter the same name you added to your wp-config.php file. Click Enter on your keyboard when you’re done.

Alternatively, you could select the folder name, then click on Rename at the top of the page and enter the new folder name in the pop-up.

The renaming file pop-up in cPanel.
Once you have updated your wp-config.php file, you can rename your uploads folder.

Click Rename File and your new uploads folder is ready to go.

Making More Ch-Ch-Ch-Changes

If you made your customizations correctly, you should be able to visit your site without entering a sub-directory and see everything displayed properly. You visitors and more importantly, hackers, won’t be able to tell that most of your core WordPress files aren’t located in the root of your site anymore.

For details on how you can make more changes to your wp-config.php file to boost your site’s security, check out one of our other posts How to Tweak wp-config.php to Protect Your WordPress Site.

You can also check out Generate WP to generate the code you need to enter into your wp-config.php file in order to change your file structure.

Do you plan on changing your file structure? What kind of tweaks do you prefer to make to your files to increase your site’s security? Share your experience in the comments below.

Tags: