Does giving WordPress its own directory add to SECURITY?

  • I’m thinking about giving WordPress its own directory, per the instructions here: https://codex.www.ads-software.com/Giving_WordPress_Its_Own_Directory

    However if giving WordPress its own directory doesn’t help at all with security, then I’d rather just not do it.

    You see, I’m apprehensive that it will make the migration from the development environment (on localhost) to the online environment more complicated (eg. problems with media urls) and that it might adversely affect SEO…

    Is all that trouble worth it? Does giving WordPress its own directory in fact help with security?

    If not, why do people do it?

Viewing 6 replies - 1 through 6 (of 6 total)

  • Top two reasons to put WordPress in a subdirectory:
    (1) reduce clutter, and by extension the human errors associated with it, in the root directory;
    (2) makes it easy to replace one WordPress installation with another, simply by changing subdirectories.

    It also helps with security if you don’t name the subdirectory “wordpress” as hacker robots try /wp-admin/ and /wordpress/wp-admin/ first.

    In this post, I’m talking about the technique described in “Using a pre-existing subdirectory install” at the link you gave. In other words, the site looks, to the visitor, like it is in the root.

    Thread Starter Jim Reading

    (@gymreading)

    Thanks jon.

    Yes I understand that the site will look like it’s in the root.

    Yesterday, I tried putting WordPress in a subdirectory and ran into trouble. I also worry that when I try to migrate my finalized site from localhost, I’ll have too much weird stuff going on with images etc. if I use a subdirectory.

    If the only security a subdirectory adds is preventing bots from doing a “brute-force” or “dictionary” attack at wp-admin, I’d rather skip using a subdirectory.

    After all, I’m diligent about password security and I plan to take other security steps.

    …So am I correct in assuming that the only help the subdirectory provides is thwarting “brute-force” attacks from bots? …Or are there other things bots can do if they find my wp-admin page?

    Thanks for your insights.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    If the only security a subdirectory adds is preventing bots from doing a “brute-force” or “dictionary” attack at wp-admin, I’d rather skip using a subdirectory.

    It doesn’t prevent a brute force attack, it’s just one way of hardening WordPress. If you want a full guide of hardening WordPress, see this article: https://codex.www.ads-software.com/Hardening_WordPress

    Thread Starter Jim Reading

    (@gymreading)

    Thanks andrew. You’re right, “prevent” isn’t the right word.

    What I meant was if the bot can’t find wp-admin (because it’s in a different folder than expected), it cannot launch a “brute force” attack.

    I’m guessing that is the only value of using the subdirectory: hiding wp-admin from a brute-force attack.

    Besides that, is there some other security value in using a subdirectory?

    (Btw, I looked at the link you posted, and I do plan to take other steps to secure the site…)

    There’s no extra security in using a sub-directory. The more clevel bots will find out where WordPress is installed by scraping the sites page source, and it’s pretty trivial to tell from a couple of links in there. As am exmaple, just look for the folder where /wp-content/ is, and you’ve got your base that you can add /wp-login.php to quite easily. There’s always bots that are not smart enough for that, but, like everything else, they are getting smarter as time goes on.

    As an example, I have several sites in sub-directories, and all of the public ones get hit with hack attempts just as much as sites that are all in root.

    Thread Starter Jim Reading

    (@gymreading)

    Thanks catacaustic.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Does giving WordPress its own directory add to SECURITY?’ is closed to new replies.