Updated on Aug 16, 2019
Because of the open source nature of WordPress, anyone can look up the typical file structure of your WordPress site and find exactly where an attack can be started.
The good thing is that rearranging the core file structure of your WordPress site is a security method that can be employed in order to combat hackers and bolster your overall defenses. In this post, we will walk you through the two ways to customize your file structure both for Single and Multisite installs. Also, we will show you what code you need for bringing everything together.
In this post, you can find:
Never forget that customizing your file structure can break your website quickly. Thus you need to be careful and create a backup. It will ensure that you can restore your WordPress site to its former working state in case something goes wrong. You can do a backup just for your files, but we recommend a complete backup that would help you restore anything. We have a tutorial on How to Backup Your WordPress Website that you can check.
In case your files cannot communicate with your database and display your website, there will be error messages with sensitive information printed on your site’s front-end. Getting rid of this can be quite helpful. It can be done by turning on the error logging so that all issues are discreetly in a log that can be accessed only by you.
While on the subject of front-end errors, we should mention that reorganizing your file structure takes your website offline for a couple of minutes while the process is completed. This is why setting up a temporary redirect (302) is a good idea and would keep your site visitors (and search engines) happy while you are switching things up. You can check out our tutorial on domain redirects and how to set them up.
The first change to make is moving all except two files away from the root of your website to a different directory. Doing this would mean having to change the site’s URL from www.example.com to something like www.example.com/core-files/. However, it’s possible to keep your website’s address how it is while still migrating your files into a separate directory.
Your URL will make hackers assume that all files are located in your install’s root, but they would quickly realize that it’s not the case when they cannot hack your WordPress site. Since guessing where your files are would not be easy, they are most likely to stay untouched.
There are two ways for creating a new directory in the root of your website. You can Start by creating a new directory in the root of your site. You can choose to do this through the cPanel file manager, or via FTP with a program like FileZilla
To locate your site’s files in cPanel, you need to go to Files → File Manager after logging in. In the root, click the Folder button at the top of the page and enter the name of your new directory.
Make sure that you don’t name your new folder in a way that is not obvious (WordPress, wp-core, your site’s name, etc.). Think of a secure name that is not easily guessable, but clear enough for you. After creating a new folder and before moving any other files, you will need to update your WordPress address which tells your website where the core files are located.
Log into your WordPress website if you have a single install and then go to Settings → General in the admin Dashboard. Add a slash at the end of your website’s address in the WordPress Address (URL) field. After the slash, you should put the name of the directory created by you. Do not include a trailing slash at the end.
When you are done, click on the button Save Changes. Now, your site should not be available, and you should not panic - it’s a normal part of the whole process.
In case you have a Multisite network, you will not be able to update your WordPress address from the admin Dashboard. For a Multisite network, you need to hard code the address in the
This can also be done for a single installation, but please note that you will not be able to update the URL in the dashboard when you are ready.
wp-config.php file and add those files to the bottom of the page, but before the
/* That's all, stop editing! Happy blogging. */ line:
define('WP_SITEURL', 'https://' . $_SERVER['SERVER_NAME'] . '/application');
define('WP_HOME', 'https://' . $_SERVER['SERVER_NAME']);
Make sure that you replace
application with the name of the newly created folder. If your domain does not have an SSL certificate installed, you also have to replace the
https part to
http in both lines.
Afterward, save changes and ignore all error messages or your site’s unavailability for the time being. Now it’s time to move all core files.
When using cPanel, go back to the file manager and your site’s root. Select all the files and folders, except the new folder that you’ve just created. Once you can see them all highlighted, simply drag and drop them into the new directory.
Go into the new folder and select the
.htaccess file. Click the button Copy at the top of the page and then edit the file path in the pop-up to reflect your install’s root. Click on Copy File(s).
If you do not see it on the list, you have to click on Settings at the top-right of the page and click on the checkbox to show all hidden files, then save. In case you see it in the root of your install, move it, as well as all other hidden files to your new directory.
.htaccess file has been copied back to its original location successfully, copy the
index.php file exactly the same way.
For your site to reflect the new file path, you have to update your
index.php file. Select the one you copied to the root of your WordPress site and click on the Edit button which is at the top of the page.
Find the following lines toward the bottom of the file:
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
/wp-blog-header.php to include the new directory. For example, if you named the new folder
application, you should change your file path to this:
Proceed with saving your changes and logging back into the dashboard of your site. The URL that you visit should include the new directory. Again, if the new directory is named application, you would have to visit www.example.com/application/wp-admin or www.example.com/application/wp-login.php.
Now go to Settings → Permalinks and click on Save Changes at the page’s bottom. This will update your
.htaccess file automatically, so all posts on your sites are still displayed when a user visits.
Keep in mind that if you don't have the time to do everything we explained in this post, or if you just don't feel like it, you can always submit a ticket to our expert tech support team. They work 24/7. Explain your requirements and they will gladly assist you with everything hosting related. Also, if you are not yet our client, you can check our web hosting plans.
We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!