Thanks to the open source nature of WordPress, anyone – including hackers – can look up the typical file structure of a WordPress website and know exactly where to start an attack.
Fortunately, rearranging your core WordPress file structure is one method you can employ from your security arsenal to combat hacks and bolster your site’s defenses.
So in this post, I’m going to walk you through two ways you can customize your file structure for single and Multisite installs, as well as show you the code you need to bring it all together.
Don’t forget: Our expert support heroes are ready and waiting – 24/7, rain or shine – to help you with any issues you may have along the way and for free!
All About That Backup
Since customizing your file structure can break your site in one swift move if you’re not careful, creating a backup ensures you can restore your site to its former glory in case things go south.
You can backup just your files only if you’re pressed for time, but an unabridged, brimming backup is best. You have been forewarned.
For details on how to backup your site, check out some of our other posts:
In the event that your files can’t communicate with your database to display your site, error messages are printed on the front end of your site with some sensitive information. It can be helpful to get rid of this by turning on error logging so any issues are discreetly printed in a log only you can access.
For details on how to disable front end error reporting and enabling your error log, check out our post Debugging WordPress: How to Use WP_DEBUG.
Speaking of front-end errors, reorganizing your file structure takes your site offline for a few minutes while you complete the process so setting up a temporary redirect (302) can help keep your visitors (and Google!) happy while you switch things up. You can check out our post Creating Redirects for WordPress (and the Best Plugins for the Job) for details on 302 redirects and how to set them up.
Changing Your File Directory
The first kind of change you can make is to move all but two files away from the root of your site to a separate directory. Typically, doing this means you would have to change your site’s URL from http://www.your-site.com to something similar to http://www.your-site.com/core-files/, but it’s possible to keep your site’s address the way it is while still moving your files into a directory.
Hackers would assume by your URL that all your files are located in the root of your install, but they quickly realize this isn’t the case when they aren’t able to hack your site. Since they won’t be able to easily guess where your files are located, they’re more likely to stay untouched.
Creating a New Directory
In cPanel, go to Files > File Manager after logging in and locate your site’s files. In the root, click the Folder button at the top of the page and enter a name for your new directory.
The idea here is to name your new folder in a way that isn’t obvious. For example, don’t name your new directory “wordpress,” “wp-core,” your site’s name or something similar. Try to pick a name that wouldn’t be easily guessable for hackers, but that’s still clear to you.
When you’re done, click Create New Folder. You should see it listed among your other files. Before you move any of your files, you need to update your WordPress address which tells your site where your core files are located.
Updating the URL for Your Files
Log in to your WordPress site if it’s a single install and go to Settings > General in your admin dashboard. Add a slash to the end of your site’s address in the WordPress Address (URL) field, followed by the name of the directory you created. Don’t add a trailing slash at the end.
Click Save Changes at the bottom of the page when you’re done. Your site should be unavailable now, but don’t panic since that’s a normal part of the process.
If you have installed a Multisite network, you won’t be able to update your WordPress address from your super admin dashboard. You need to hard code it into your wp-config.php file instead.
You could also choose to do this for single installations as well, but keep in mind that you won’t be able to update the URL in your dashboard afterward.
Open your wp-config.php file and add the following lines toward the bottom of the page, but before the
/* That's all, stop editing! Happy blogging. */ line:
Just be sure to replace
application with the actual name of the folder you created. If your domain doesn’t have an SSL certificated installed, you also need to replace the
https portion in both lines to
Save your changes and ignore any error messages or the general unavailability of your site for now. It’s time to move your core files.
Moving Your Files
In cPanel, go back to your file manager and the root of your site. select all your files and folders other than the new folder you just created a bit earlier. Once they’re all highlighted, drag and drop them into your new directory.
Go into that new folder and select your .htaccess file. Click the Copy button at the top of the page and edit the file path in the pop-up to reflect the root of your install. Click Copy File(s).
If you don’t see it on the list, click on Settings at the top right of the page and click the checkbox to show hidden files, then save. If you see it in the root of your install, move it and any other hidden files to your new directory.
Once your .htaccess file has been successfully copied back to its original location, copy your index.php file in the exact same way.
Editing Your Index Page
In order for your site to reflect your new file path, you need to update your index.php file. Select the one that you copied to the root of your site and click on the Edit button at the top of the page.
Find these lines toward the bottom of the file:
/wp-blog-header.php to include your new directory. For example, if your new folder is called
application, you would change the file path to this:
Save your changes and log back into your site’s dashboard. The URL you visit should include your new directory.
Go to Settings > Permalinks and click the Save Changes button at the bottom of the page. This updates your .htaccess file automatically so all your posts still display when a user visits them.
You can also check out the Giving WordPress Its Own Directory in the WordPress Codex if you would like some more information.
Ultimate WordPress security with WP Defender
Defender protects you against evil bots and hackers with automated security scans, vulnerability reports, safety recommendations, blacklist monitoring and customized hardening in just a few clicks.
Further Customizing Your File Structure
If you really want to go all out and further customize the folder structure, you certainly can. You just need to add a bit of code to your wp-config.php file along the way.
There are a couple of critical rules you need to keep in mind before you go ahead any make any further customizations:
- You can’t move your wp-includes folder, other than in a new directory with all your files and folders as shown above.
- You can’t move your uploads folder. It must stay directly in the /wp-content/uploads/ folder path, but you can rename it.
Here are the folders you can further customize the locations of with some code:
- uploads (rename only)
When changing the wp-content or plugins folders, be sure to add the necessary code above the
/* That's all, stop editing! Happy blogging. */ line.
You can create another folder just as you did earlier in the post and place your wp-content folder in it. Once you do that, edit your wp-config.php to include this code above the “happy blogging” line:
Replace both instances of
directory with the actual folder name you created to house the wp-content folder. Also, replace
your-site.com with your real domain name. If you don’t have an SSL certificate installed, be sure to switch
https on the second line with
You can also create a different directory to put your plugins folder inside. When you make that change, you can add this code to your wp-config.php file:
Be sure to replace
new-folder in both lines with the actual name of the new folder you created. Also, don’t forget to update
your-site.com with your real domain and change
http if you don’t have an SSL certificate installed.
To rename the uploads folder, look below the “happy blogging” comment and find these two lines:
require_once(ABSPATH . 'wp-settings.php'); line, add the following:
media to whatever you want your uploads folder to be called. You should end up with something similar to this:
Save your wp-config.php file when you’re done. If you did decide to rename your uploads folder, now you need to update name the actual folder.
In cPanel, go to /wp-content/uploads and double click on your uploads folder on the list. You should be able to enter the same name you added to your wp-config.php file. Click Enter on your keyboard when you’re done.
Alternatively, you could select the folder name, then click on Rename at the top of the page and enter the new folder name in the pop-up.
Click Rename File and your new uploads folder is ready to go.
Making More Ch-Ch-Ch-Changes
If you made your customizations correctly, you should be able to visit your site without entering a sub-directory and see everything displayed properly. You visitors and more importantly, hackers, won’t be able to tell that most of your core WordPress files aren’t located in the root of your site anymore.
For details on how you can make more changes to your wp-config.php file to boost your site’s security, check out one of our other posts How to Tweak wp-config.php to Protect Your WordPress Site.
You can also check out Generate WP to generate the code you need to enter into your wp-config.php file in order to change your file structure.