Ask your WordPress questions! Pay money and get answers fast! (more info)

Moving WP down one level from Root


HI! 1st Question here. Thanks in Advance.

The great book **Digging Into WordPress** suggests to create a folder with a really unusual, weird name, and install WP inside that folder. This way, it will be down one level from root. They also tell you how to move and edit a couple of critical files (I think it was htaccess and I forget the other one) back up a level to make everything work right. The idea is to make it more difficult for the site to be hacked or spammed or whatever.

I asked the owner/chief tech-guru at my web hosting service, who has been in the software/internet/open-source business a VERY long time, and has been EXTREMELY helpful to me, and seems EXTREMELY knowledgeable, said he is concerned that doing so would make it difficult for someone to debug a WP site if problems developed. (He owns and his hands-on tech support for beginners and on up is phenomenal and nearly instantaneous. I've heard and experienced nothing but great things about him.)

I then e-mailed the authors of **Digging Into WP** about his doubts and although they reaffirmed their reasons for this maneuver, they did not address my actual question about debugging as mentioned by my web-guy.

Being at best an advanced Newbie (not even sure if that's right spelling!!!) I am concerned about making my life more difficult than necessary, one way or the other.

So, can anyone advise with more detail, pros and cons, as to the advisability -- or not -- of moving WP down one level, as suggested in **Digging Into WordPress**???

Thank You Very Much,
David Scott Lynn

Answers (3)


Milan Petrovic answers:

The only thing I know for sure is that you will break a lot of plugins. Most plugins that need to access some files in wp-content or even wp-includes are doing so using ../../ method of moving through folder structure. Moving these folders to locations plugins are not prepared to find will break them. Such method plugins use is bad, if you decide to make the change, you will need to be prepared to fix those plugins and change the paths, that is if you use plugin that will break potentialy.

Also, tech-guru you consulted is not exactly right on this one. To debug WordPress you don't really need to have all files on their originally intended locations. As it is I have worked on 2 websites that made the change according to advice from Digging into WP. Several plugin broke, but that's about everything that happen. I didn't have or noticed any problems, and I was debugging things on the spot for the theme and plugin I was developing for the website.

The major downside of this process is that you loose auto update feature, and whenever you need to upgrade WP you need to do it manually and always use DIWP procedure. And I don't really see that default location of the WP folders is actual security risk. I have 3 servers and many, many WP installations and for the last 3 years I had 2 security related problems with WordPress both caused by WordPress bugs that were soon fixed.

David Lynn comments:

Hi Milan,

Thank You Very Much for your reply. It seems, to my somewhat uneducated mind, that you have pretty much answered the question with:

**I don't really see that default location of the WP folders is actual security risk.**

I would not mind learning to fix the paths for the plug-ins (does not sound impossible for me), but it would be very helpful to keep the auto-upgrade option. So I'm thinking that if it is not really going to help security much, I should not bother with moving the installation down from root. (Although I must admit I would feel VERY accomplished if I could pull it off without wrecking everything!!!!)

If, however, it is worth the 15 bucks to you (which it looks like you are going to get ANYWAY if no one else answers me in the VERY near future), I WOULD like to know what you think of the **Digging In** guys assessment of making this change, versus not, because it DOES sound like they know what they are talking about.

I do like to be as thorough as possible when I make these kinds of decisions, but overall, if I am not mistaken, you give me the impression it is NOT worth the bother to move them. ... But if so, why did they put that in the book???

If you do choose to elaborate on your answer, I would appreciate it a lot, but not absolutely necessary at this point if you are too busy.


Milan Petrovic comments:

There are so many different security recommendations for WordPress (as with any other CMS), and it's a good thing to give users a choice. But, you always need to weight cons and pros for this solutions and see if they fit what you need.

But I like to implement security solutions that don't require changes to WordPress core. I always find more reliable to set proper security settings and access rules for the server, keep my passwords safe and change them regularly. I never make any changes to any of the core WordPress files or folders. You can never be sure that a change you make will not break some plugin or even WordPress in some cases. And losing auto upgrade is real pain in the ass when security releases start coming after each major version.

The only file you can safely move is wp-config.php to one level up, and WordPress loader will find it. This way no one can access this file from the outside. Also, you can move wp-content, and if you decide to do this, here is info from WordPress Codes:

Best regards,


Jarret Minkler answers:

Shouldn't be a problem as long as you set it up right, most frameworks (symfony/zend) recommend this as well.

This started getting recognition when ppl were naming their include files and forgetting to setup apache not to serve those files as text. Thus, creating a hole to which someone could view the code.

It is NOT any harder to debug .. not one bit

David Lynn comments:

Jarret ... Thank You Very Much ...

But being a newbie, as I mentioned, your answer is a little over my head, I think??? (Maybe people like me should not be reading things like Digging Into WordPress???)

And, based on Milan's answer (below), I'm not confident that your answer gives me enough insight, especially RE: the broken plug-in issue he describes.

I must acknowledge that it is my lack of experience that is probably the problem, however, rather than any deficiency on your part. But I have to respond to Milan and see what he says back before I make a decision.

Many Thanks,

Jarret Minkler comments:

Well, that's the risk you take when you customize. Honestly if they are doing ../../ instead of using the Install directory configuration it's crap code anyways. If they don't work, yes you would have to manually change the code to make it work (this would be a pretty obvious change if you have error logging turned on).

Yes, probably not for the feint of heart.

Jarret Minkler comments:

As an aside, there are plenty of "security plugins" available that will plug most of the holes, but if it's a zero day attack well then your just screwed anyways. Just keep all your plugins up to date as well as wordpress and get some of the security plugins and you will be "ok"


Ali Hussain answers:

Just try to play it simple. I can recommend you some tips to be on the safe side:

1- Use only popular/recommended plugins
2- Don't ever chmodd any of your folders to 777
3- Always keep a strong 10 char password to login wordpress and hosting (usually generated stuff)
4- Keep a specific email address for your blog itself and access it if an emergency.
5- Keep updating your Wordpress to the latest version as soon as possible (updates come because of bugs)