Home » Installation » Tutorial » WordPress

Move WordPress Core Files in Custom location to Protect from Hackers

Posted by Tanmay

Nowadays, the WordPress has become the best blogging platform and mostly used by people. But do you know that a lots of hackers are always trying to get into your WordPress system? They, generally use some SQL injection in your WordPress admin templates. Most of the blogger install the WordPress in the root directory and keep the whole things as it was at the time of installation. So hackers can easily know about all your WordPress core file location and try to break the WP security.

To prevent them from these peripheral, the best practice is to move your WordPress core files from the default location, so that any body can’t know about them. As a result, hackers will remain failure to perform any type of evil action with your blog.

The scenario starts here

At first, take a full backup of your WordPress blog to ensure that you can restore the stable state of your blog if any thing goes wrong with your site configuration.

Moving the core files

1. Log-in to your FTP and create a directory at as deep as you like. For instance the location may be

/public_html/example/data/some_directory/core

2. Download the followings from your current installation directory (generally /public_html/)
- wp-admin directory
- wp-includes directory
- wp-content directory

and all php files in the same folder like index.php, wp-config.php, wp-activate.php, wp-blog-header.php, wp-atom.php, wp-comments.php and so on. Also download the .HTACCESS file.

3. Upload all the files and directory that you’ve downloaded in the step 2  at  your desired location (/public_html/example/data/some_directory/core/). Wait for a while until the uploading process completes.

4. Don’t delete the existing directories, currently on your server. You can do it later.

Make a small change in your WordPress settings

Log-in to your WP admin area and go to Settings > General.  Now at “WordPress address url” field write down the complete url of the directory where you’ve uploaded the files in step 3. In this example the path should be http://www.techtipsgeek.com/example/data/somedirectory/core

5. Save the changes by clicking on the “Save changes” button.

6. Immediately after this, your blog home can be messed up and you will get some error massage. Don’t worry! Things are yet to complete.

7. Download the ‘index.php’ file from your root directory and open it with Notepad. Search for the line

require(‘./wp-blog-header.php’);

8. Change the above code as

require(‘./your_directory_path/wp-blog-header.php’);

As for this example the code should be

require(‘./example/data/some_directory/core/wp-blog-header.php’);

9. Upload the edited version of ‘index.php’ in the root drive over writing the existing one.

That’s all. You have successfully moved your WordPress core files in a custom location.

What will be my WordPress login link?

Further the old login link will not work. Your new login link would  be http://yourdomain/new_directory/wp-login.php. For instance the new login url is http://www.techtipsgeek.com/example/data/some_directory/core/wp-login.php.

Should I delete My old files from the root directory?

Well! once you’ve successfully moved the WordPress core files and your site is running properly, you can delete all the WordPress files from the root drive except the wp-content directory, ‘index.php’ and .HTACCESS file.

You should concentrate here

1. Do not delete the wp-content folder from its old location as it contains the folder “Upload” where the post images of your blog resides. Deleting that folder will make lost your post from their images. But if you want not to keep the wp-content folder in two locations as there exists another in the new location then you can host post images in a subdomain or update the previous post with the new image path. Both the method has been described in the article Host Images of WordPress Blog in a Subdomain for Better Speed.

2. Don’t publish the login link in your website so that any body can find again your WP core file location. Otherwise, all your labour will become meaningless.

Does your WordPress still reside at the root directory or in a different custom location? Share with us in the comment section.

Related content:

  1. 10 Things You Must Apply to Secure Your WordPress Blog
  2. 8 Things to do When Your WordPress Blog Sucks
  3. Install and Control Multiple Sites in WordPress 3.0
  4. Host Images of WordPress Blog in a Subdomain for Better Speed
  5. Set WordPress Trash to be Empty Automatically
This post was written by Tanmay

Reader Comments

  1. TechGopal

    nice trick
    i am sure after making this changes my site will become much safer from hackers ……..

  2. Tanmay

    @TechGopal: Definitely. The hackers need at least the source to hack you and you are hiding the source from them. Anyway thanks for commenting here.

  3. mrchuckles

    Very useful. Thanks for the clear explanations! I have a static website in my root, but have my WordPress in a subdirectory called “blog”. I’d like to get rid of the static website and keep the WP in “blog” but have anyone landing in the root automatically go the WP portion. Is that fairly easy?

  4. Tanmay

    @Mrchuckles: Yes you can do that by the .htaccess file in your root drive. If there exits no such file then create it by simple Notepad text and name it as .htaccess. In .htaccess file add the following code at the very first line:
    Options +FollowSymlinks
    rewritecond %{http_host} ^yourdomain.com [nc]
    rewriterule ^(.*)$ http://www.yourdomain.com/blog/$1 [L,r=301,nc]
    Change “yourdomain” with your domain name.Let me know if this solves your problem.
    Thank you for commenting here.

  5. mrchuckles

    Thanks for the suggestion. I tried it but didn’t have any luck. When I typed in http://www.mydomain.com it did not redirect to WordPress but rather landed my on my host’s splash page based on their default.html. It appears I need to create an index that points to my blog. When I typed http://www.mydomain.com/blog it gave me an internal server error.

    I appreciate your help but if you don’t want to mess with it I’ll figure it out eventually. I feel bad taking your time. Thanks though.

  6. Fail

    Um… you realise all of your posts like directly to your files and any hacker with 1% of a brain knows how to view the source of a website right?

  7. Ahmed

    i did that with my blog, but i my footer didn’t appear :s

    i have just copied the index.php + .htaccess, then i have edited my index.php to the directory of the core files and changed index location from WordPress settings

    this is .htaccess contain:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    Thanks