How to Change Your WordPress File and Directory Structure

Thanks to the open source nature of WordPress, anyone – including hackers – can look up the typical file structure of a WordPress website and know exactly where to start an attack.

Fortunately, rearranging your core WordPress file structure is one method you can employ from your security arsenal to combat hacks and bolster your site’s defenses.

So in this post, I’m going to walk you through two ways you can customize your file structure for single and Multisite installs, as well as show you the code you need to bring it all together.

Don’t forget: Our expert support heroes are ready and waiting – 24/7, rain or shine – to help you with any issues you may have along the way and for free!

All About That Backup

Since customizing your file structure can break your site in one swift move if you’re not careful, creating a backup ensures you can restore your site to its former glory in case things go south.

You can backup just your files only if you’re pressed for time, but an unabridged, brimming backup is best. You have been forewarned.

For details on how to backup your site, check out some of our other posts:

In the event that your files can’t communicate with your database to display your site, error messages are printed on the front end of your site with some sensitive information. It can be helpful to get rid of this by turning on error logging so any issues are discreetly printed in a log only you can access.

For details on how to disable front end error reporting and enabling your error log, check out our post Debugging WordPress: How to Use WP_DEBUG.

Speaking of front-end errors, reorganizing your file structure takes your site offline for a few minutes while you complete the process so setting up a temporary redirect (302) can help keep your visitors (and Google!) happy while you switch things up. You can check out our post Creating Redirects for WordPress (and the Best Plugins for the Job) for details on 302 redirects and how to set them up.

Changing Your File Directory

The first kind of change you can make is to move all but two files away from the root of your site to a separate directory. Typically, doing this means you would have to change your site’s URL from www.your-site.com to something similar to www.your-site.com/core-files/, but it’s possible to keep your site’s address the way it is while still moving your files into a directory.

Hackers would assume by your URL that all your files are located in the root of your install, but they quickly realize this isn’t the case when they aren’t able to hack your site. Since they won’t be able to easily guess where your files are located, they’re more likely to stay untouched.

Creating a New Directory

Start by creating a new directory in the root of your site. You can choose to do this with SSH and the command line, FTP with a program such as FileZilla or through your control panel’s file manager.

In cPanel, go to Files > File Manager after logging in and locate your site’s files. In the root, click the Folder button at the top of the page and enter a name for your new directory.

The new folder pop-up in cPanel.
Create a new directory for your core files in cPanel.

The idea here is to name your new folder in a way that isn’t obvious. For example, don’t name your new directory “wordpress,” “wp-core,” your site’s name or something similar. Try to pick a name that wouldn’t be easily guessable for hackers, but that’s still clear to you.

When you’re done, click Create New Folder. You should see it listed among your other files. Before you move any of your files, you need to update your WordPress address which tells your site where your core files are located.

Updating the URL for Your Files

Log in to your WordPress site if it’s a single install and go to Settings > General in your admin dashboard. Add a slash to the end of your site’s address in the WordPress Address (URL) field, followed by the name of the directory you created. Don’t add a trailing slash at the end.

The general settings page.
Change your WordPress Address to include your new directory.

Click Save Changes at the bottom of the page when you’re done. Your site should be unavailable now, but don’t panic since that’s a normal part of the process.

If you have installed a Multisite network, you won’t be able to update your WordPress address from your super admin dashboard. You need to hard code it into your wp-config.php file instead.

You could also choose to do this for single installations as well, but keep in mind that you won’t be able to update the URL in your dashboard afterward.

Open your wp-config.php file and add the following lines toward the bottom of the page, but before the /* That's all, stop editing! Happy blogging. */ line:

Just be sure to replace application with the actual name of the folder you created. If your domain doesn’t have an SSL certificated installed, you also need to replace the https portion in both lines to http.

Save your changes and ignore any error messages or the general unavailability of your site for now. It’s time to move your core files.

Moving Your Files

In cPanel, go back to your file manager and the root of your site. select all your files and folders other than the new folder you just created a bit earlier. Once they’re all highlighted, drag and drop them into your new directory.

Files are dragged and dropped to the new directory.
Drag and drop all your core files into your new folder.

Go into that new folder and select your .htaccess file. Click the Copy button at the top of the page and edit the file path in the pop-up to reflect the root of your install. Click Copy File(s).

If you don’t see it on the list, click on Settings at the top right of the page and click the checkbox to show hidden files, then save. If you see it in the root of your install, move it and any other hidden files to your new directory.

Once your .htaccess file has been successfully copied back to its original location, copy your index.php file in the exact same way.

Editing Your Index Page

In order for your site to reflect your new file path, you need to update your index.php file. Select the one that you copied to the root of your site and click on the Edit button at the top of the page.

Find these lines toward the bottom of the file:

Update /wp-blog-header.php to include your new directory. For example, if your new folder is called application, you would change the file path to this: /application/wp-blog-header.php.

Finishing Up

Save your changes and log back into your site’s dashboard. The URL you visit should include your new directory.

For example, if your new directory is called application, you would visit www.your-site.com/application/wp-admin or www.your-site.com/application/wp-login.php.

Go to Settings > Permalinks and click the Save Changes button at the bottom of the page. This updates your .htaccess file automatically so all your posts still display when a user visits them.

You can also check out the Giving WordPress Its Own Directory in the WordPress Codex if you would like some more information.

SECURITY Ultimate WordPress security with WP Defender Defender protects you against evil bots and hackers with automated security scans, vulnerability reports, safety recommendations, blacklist monitoring and customized hardening in just a few clicks. TRY WPMU DEV FREE LEARN MORE

Further Customizing Your File Structure

If you really want to go all out and further customize the folder structure, you certainly can. You just need to add a bit of code to your wp-config.php file along the way.

There are a couple of critical rules you need to keep in mind before you go ahead any make any further customizations:

  1. You can’t move your wp-includes folder, other than in a new directory with all your files and folders as shown above.
  2. You can’t move your uploads folder. It must stay directly in the /wp-content/uploads/ folder path, but you can rename it.

Here are the folders you can further customize the locations of with some code:

  • wp-content
  • plugins
  • uploads (rename only)

When changing the wp-content or plugins folders, be sure to add the necessary code above the /* That's all, stop editing! Happy blogging. */ line.

You can create another folder just as you did earlier in the post and place your wp-content folder in it. Once you do that, edit your wp-config.php to include this code above the “happy blogging” line:

Replace both instances of directory with the actual folder name you created to house the wp-content folder. Also, replace your-site.com with your real domain name. If you don’t have an SSL certificate installed, be sure to switch https on the second line with http.

You can also create a different directory to put your plugins folder inside. When you make that change, you can add this code to your wp-config.php file:

Be sure to replace new-folder in both lines with the actual name of the new folder you created. Also, don’t forget to update your-site.com with your real domain and change https to http if you don’t have an SSL certificate installed.

To rename the uploads folder, look below the “happy blogging” comment and find these two lines:

Above the require_once(ABSPATH . 'wp-settings.php'); line, add the following:

Change media to whatever you want your uploads folder to be called. You should end up with something similar to this:

Save your wp-config.php file when you’re done. If you did decide to rename your uploads folder, now you need to update name the actual folder.

In cPanel, go to /wp-content/uploads and double click on your uploads folder on the list. You should be able to enter the same name you added to your wp-config.php file. Click Enter on your keyboard when you’re done.

Alternatively, you could select the folder name, then click on Rename at the top of the page and enter the new folder name in the pop-up.

The renaming file pop-up in cPanel.
Once you have updated your <em>wp-config.php</em> file, you can rename your <em>uploads</em> folder.

Click Rename File and your new uploads folder is ready to go.

Making More Ch-Ch-Ch-Changes

If you made your customizations correctly, you should be able to visit your site without entering a sub-directory and see everything displayed properly. You visitors and more importantly, hackers, won’t be able to tell that most of your core WordPress files aren’t located in the root of your site anymore.

For details on how you can make more changes to your wp-config.php file to boost your site’s security, check out one of our other posts How to Tweak wp-config.php to Protect Your WordPress Site.

You can also check out Generate WP to generate the code you need to enter into your wp-config.php file in order to change your file structure.

Jenni McKinnon
Do you plan on changing your file structure? What kind of tweaks do you prefer to make to your files to increase your site's security? Share your experience in the comments below.

19 Responses

  • The Exporter

    Thanks Jenni I will check it out if it will work on Multi sites.
    There is also a plugin called https://wordpress.org/plugins/wp-hide-security-enhancer/
    but could not get it working on Multisites and still major file directories are actually still there with their real names.A combination of the way you proposed and what this plugin is doing would be great. Unlimited Branding unfortunately can’t do anything in that field as it is not at all unlimited as the name says. After using that plugin your site will still be recognised as a WordPress site.

    https://premium.wpmudev.org/forums/topic/wp-hide-and-security-enhancer-plugin-on-multisites-experiences?replies=1#post-1123349

    I asked it in a new discussion concerning that plugin

    • Support Gorilla

      Hi Andi!

      The WP Hide & Security Enhancer plugin hasn’t been tested in a Multisite environment, according to it’s author (I found that information on plugin’s support forum). This means that doesn’t officialy support Multisite and it may but also may not work. I see you asked about it already on our “Members” forum so hopefully some WPMU DEV members were able to make it work :)

      The Ultimate Branding plugin is not a security plugin but – as the name suggests – the “branding” plugin. It’s not capable of changing WP directory and file structure by design.

      Best regards,
      Adam

  • The Exporter

    Hi Jenni

    In a multisite where you have installed the domain mapping plugin your setting won’t work.
    You would need to add the following to your wp-config.php

    define( ‘WP_CONTENT_DIR’, ‘PathToWP-CONTENT’ );
    here you only need to add the path without any http://domain.tld!!!

    i.e. define( ‘WP_CONTENT_DIR’, ‘my/path/to/wp-content’ );
    when the complete path is https://mydomain.tld/my/path/to/wp-content

  • The Exporter

    If people have installed plugins which write into .htaccess path segments than they need to change them also there!

    Example:

    # BEGIN Adaptive Images
    #=======================

    RewriteEngine On

    # Watched directories
    RewriteCond %{REQUEST_URI} /onepage/wp-content/uploads [OR]
    RewriteCond %{REQUEST_URI} /onepage/wp-content/themes

    # Redirect images through the adaptive images script
    RewriteRule \.(?:jpe?g|gif|png)$ /onepage/wp-content/plugins/adaptive-images/adaptive-images-script.php [L]

    need to be

    # BEGIN Adaptive Images
    #=======================

    RewriteEngine On

    # Watched directories
    RewriteCond %{REQUEST_URI} /onepage/NEW-wp-content-path/uploads [OR]
    RewriteCond %{REQUEST_URI} /onepage/NEW-wp-content-path/themes

    # Redirect images through the adaptive images script
    RewriteRule \.(?:jpe?g|gif|png)$ /onepage/NEW-wp-content-path/plugins/adaptive-images/adaptive-images-script.php [L]

  • The Exporter

    Here are some testing tools which we recommend also to our customers to check WordPress sites and compare it i.e. with our services. In our opinion should not believe what agencies and developers make them believe until they have really checked their results. So beside GTMetrix and other Tools for speeding up Websites and Tools to check the SEO Value of a site another important thing – probably the most important at all is the site’s security! The following tools can help you doing it and your customers actually will be happy to check it too and for sure they will give you feedbacks :-)

    http://wprecon.com/
    https://hackertarget.com/ You can pay their monthly fees or if you have your own server run the mentioned tools on your own server.

    Here the most important ones:
    http://www.openvas.org/
    https://cirt.net/nikto2/
    http://sqlmap.org/
    https://nmap.org/
    Attention the following looks the same but provides only older versions!
    http://insecure.org/

    All those scripts mentioned on the hackertarget.com website without any links to sources are actually included in Nmap.
    (The current version is 7.12 while writing this on 2016-08-06!)

    Many tools mentioned on Nmap.org are already pretty old and seem to be not maintained but most of them still work just fine for their purpose.

    WARNING: If you have no idea how to run a dedicated server by yourself better pay the bugs at hackertarget.com and let others do the job for you.

    By the way it would be a great addition if also WPMUDEV could provide those tools. It would increase the value of WPMUDEV Membership even much more!

    Andi

  • The Incredible Code Injector

    This worked fine on a single wp install but I have issues with one multisite, when I try to go to a sub site on my network from the main site by using the link on top “My Sites”, all sub sites do not include the new directory name, only the main site does, when I click any of the sub links I am taken to an error page, or to the old admin address eg: sub.site.com/wp-admin. This issue also includes the link to the network admin panel.

    Also, when I add the directory name into the url (sub.site.com/newdir/wp-admin) the admin panel are all messed up, seems as the connection is not correct somewhere.

    I did try Andi’s suggestions here above but it didn’t work either, it only prints the path to the header for everyone to see where the wp install is hidden!

    define( ‘WP_CONTENT_DIR’, ‘PathToWP-CONTENT’ );
    here you only need to add the path without any http://domain.tld!!!

    i.e. define( ‘WP_CONTENT_DIR’, ‘my/path/to/wp-content’ );
    when the complete path is https://mydomain.tld/my/path/to/wp-content

    This is a new install with a few empty sub sites. The domain mapping plugin is installed and active.

    As I believe I followed this instruction carefully and read them more then twice, to try to figure out what might be the issue, I wonder if anyone has an idea how to fix this mess?

  • The Incredible Code Injector

    Has anyone got this to work?

    I wonder if Jenni did this or just gathered the info onto an excellent article?

    I’ve spent all day trying to get this to work on my XAMPP localhost with a brand new multisite install, not one but 2! Some part of it works while other don’t! Already tried with a live site which I had to restore from a backup.

    Either the “application” was not added into the URLs or subdomain has all kinds of connection issues which break the site, some plugins won’t installs:

    Installation of Ad Widget failed. Most likely reason for this are wrong folder permissions of your wp-contents folder.
    Installation of Recent Comments failed. Most likely reason for this are wrong folder permissions of your wp-contents folder.

    Those are WPMU DEV plugins btw!

    If I’m the only one having issues with this, then it’s something I am doing wrong, if not, then the information given in this article are missing some very important piece of code which I cannot figure out where is missing in my install.

    I guess BulletProof Security Pro will have to protect my site!

    Dennis

      • The Incredible Code Injector

        I finally got it to work but only after I updated my xampp to the latest and php7. And got the directory structure to work too.

        You won’t need this code here on wpms installs:
        define(‘WP_SITEURL’, ‘https://’ . $_SERVER[‘SERVER_NAME’] . ‘/application’);
        define(‘WP_HOME’, ‘https://’ . $_SERVER[‘SERVER_NAME’]);

        You can go to network admin > network setup and get the new .htaccess code which includes the right settings for your root .htaccess file.

        At least it works for me, and I can browse content and between subsites.

        Dennis

  • Site Builder, Child of Zeus

    Hello, Great post and I think that installing WP into a unique directory should be considered a default option. I know obscurity is not really security, but the more steps a hacker has to go through, the more difficult it will be to break in. It is like why you still lock your car when it is parked in the driveway of your safe neighborhood….a couple of questions…..

    In regards to customizing the file structure, you mention that “You can’t move your uploads folder. It must stay directly in the /wp-content/uploads/ folder path”, but what if the folder is already moved? We already moved our uploads folder to a directory in our root, media or files for example. Can we keep it here, or will it have to be moved back to within /our-new-secret-folder/wp-content/? If we have to move it, can we reference our media files to still be http://www.ourdomain.com/media/?

    If we move WP core to a new folder, will a plugin or theme give away our ‘secret directory’ by including the absolute path to a CSS or JS file? Please let me know.

    Thanks,
    Michael

Comments are closed.