Who Else Wants to Hide Their Wordpress Folder?
Tonight, I solved a very old problem in Wordpress security among novice users. I will show you how to hide your Wordpress admin directory while still being able to use it! When I say “hide,” I mean you can rename the wp-admin folder to whatever you want!
The Code (for people who don’t want to read)
Copy and paste the following into your .htaccess file (located wherever your Wordpress folder is) to “rename” your wp-admin folder! If you are having trouble editing your .htaccess file, you should Google around for that as it’s beyond the scope of this article (or post a question in the comments and maybe another person can help).
- Change YOURSECRETWORDHERE to something else. It can be any word you want. Just make sure it’s unique and somewhat long. Make it, like, your pets name or something random. Read this post to understand why this matters.
- Change ADMINFOLDER to the new folder name you want. Letters, numbers, underscores, and dashes only. That ^ in front of it is on purpose. Don’t delete that.
RewriteEngine On
RewriteBase /
##### ABOVE THIS POINT IS ALREADY INSERTED BY WORD PRESS
##### Michi’s code is BELOW #####
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^ADMINFOLDER/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
##### Michi’s code is ABOVE #####
##### BELOW THIS POINT IS ALREADY INSERTED BY WORD PRESS
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Note: there are a few drawbacks to this hack. Read the bottom of this post for those.
The Explanation
My adventure started when I read a pretty terrible piece of advice that suggested using the .htaccess file to restrict who sees your admin section by IP. Great, so if I’m at work, I can’t login. So if my IP changes, I can’t login. If I’m at Starbucks, I can’t login. That’s retarded. That’s not a solution!
But it’s on the right track. The .htaccess file can do a lot.
Oh, and if any Wordpress developers ever read this, please make the word press admin folder be a variable name you can change! It is retarded that it is a hard coded.
The .htaccess file shines best when it is used for URL rewriting rules. For you non-programmers, the next block explains a little about what I just said. If you don’t care, skip it.
It is good for making URLs access files that don’t necessarily exist on the server exactly as they appear in the URL. For example, Digg.com uses URL rewrites to hide file and variable names. So the URL digg.com/videos certainly does not point to a file or folder actually called “videos”. Rather, it probably turns into something like digg.com/somefilename.ext?type=videos. The point is, you can hide what’s actually happening behind the scenes. I hope you get the idea.
Disabling the wp-admin Folder and Creating a Secret Mirror Folder
There are two steps in blocking access to the wp-admin folder. Disabling it is easy, but making it still functional is the hard part. Additionally, there are CSS files and other dependencies in that folder that must still be used. So after disabling it, a condition must be added that makes it only be disabled when appropriate.
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
- The first line says “If the word wp-admin is found in the URL…”
- The second line says, “And if the query is missing our password…
- The third line says “And it’s a PHP file… Deny access.”
We’ll get to that password thing in a minute. At this point, if you visit wp-admin/, it will not work. Half way there!
The next part is the guts of it all. We get to set our very own admin folder! I want to call my admin folder “secret_room”. So here’s how the code would look:
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
This next block is for you technically oriented people:
The first part basically makes sure the rule doesn’t trigger itself later (recursive condition). This is basically saying “if the URL starts with ’secret_room,’ then replace that part with wp-admin. Then, add in the query string (things after the question mark). Finally, add in the secret word.”
Now, if I go to the folder secret_room/, it will work just like wp-admin used to!
Don’t use “secret_room.” That’s my example. You use whatever folder name you want. Letters, numbers, underscores, and dashes only.
But we’re not done yet. That secret word thing needs to be customized. Why? Well, try this. Go to your blog’s wp-admin folder, but this time, add on “?YOURSECRETWORDHERE” on the end and it will work too (as in, myblog.com/wp-admin/?YOURSECRETWORDHERE)! Curious why? If you’re a little geeky, read the next block. Otherwise, skip it.
Well, this hack works by changing the URL you type in by adding that “secret word” on the end of it. It only does this when someone visits the “secret_room” folder. But it doesn’t add it on when you just type in the wp-admin/ folder (or any other location). Then, when someone is looking at a wp-admin folder, it looks to see if that secret word is in the URL. If you went to the URL by hand, you likely did not type that word in. But the “secret_room” always makes sure the secret word is attached. This is how it distinguishes between visiting wp-admin directly, and visiting it through the mirror folder. Remember that any re-writing of the URL happens behind the scenes, so your browser won’t show you what’s going on.
Since I just gave this same code to about 10,000 people, it’s in your best interest to change your secret word to be unique to you. Note that nobody will ever see it, including you. You will forget what it is, and realistically, it doesn’t matter what the hell you set it to. As long as it’s not the default one I just gave to you. Ideally, it should be long and something highly unlikely to appear in a URL. Try your name, then maybe add your favorite color. I don’t know. Just do something random. Case matters.
Here is what the final .htaccess, ideally, should look like:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
# BEGIN WordPress
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Benefits and Drawbacks to Hiding wp-admin
This hack has its drawbacks.
- The “edit” link on your posts will no longer work. You may want to remove it from your theme.
- The admin link on your side bar will no longer work. You may want to remove it from your theme.
- The standard login link will no longer work. Instead, use a bookmark as it will redirect you back to your hidden login page after you finish logging in.
Note that the first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263. Change “wp-admin” to your new folder name. However, this hack would need to be re-done if you upgrade WordPress. If you make these hacks, it will only be visible to users who have permission to see these links anyway.
There are a few significant upsides:
- If ever again there is another vulnerability that hits the WordPress wp-admin folder, you are very likely immune.
- Upgrading WordPress doesn’t un-hide the folder. It will persist through upgrades.
Remember, this hack will not protect you from having an insecure admin password. Although, it could protect you from a hacker since he won’t know where to go after successfully logging in (hah!).
Lastly, be careful when doing this. If you type something wrong, you’ll get server errors (I believe error code 500). Make sure you type it in exactly as you see it in these examples first. Then change one part at a time.
Changing the Admin User
One other point I noticed when tightening up my security was the default admin user name. Now, hah, this is assuming they actually brute force my password and then figure out how to get to the admin folder… good luck.
I noticed that I had an admin user account under the login name “admin”. Well, that’s a no-brainer. I went into the database and ran the following query:
UPDATE wpt_users SET user_login = ‘[my new username]‘, user_nicename = ‘[my new username]‘ WHERE wpt_users.ID = 1 LIMIT 1;
That solves another part of the problem. Now hackers have to guess not only my password, but also my username.
In Closing…
If you like what you’ve read, I’d appreciate it if you could Digg/Reddit/Stumble this article. 
[...] I highly recommend it. While we’re on the subject of hackers, I suggest you have a look at this post on using the htaccess to hide your wordpress admin folder if you’re worried about potential [...]
Pingback by Devlounge | Wordpress Security Alert — March 3, 2007 @ 6:02 am
[...] Michi Knows has a tutorial on how to use the htaccess file to better secure the wp-admin folder used for WordPress that looks worth implementing. [...]
Pingback by Country Keepers by Gary Petersen » Blog Archive » Hiding Your WordPress Admin Folder — March 3, 2007 @ 4:26 pm
Thanks for the great how-to!
Comment by Bindanaku — April 2, 2007 @ 9:13 am
[...] can double the protection by hiding your entire admin folder! This great step-by-step tutorial from Michi Knows will show you how to rename your admin folder to anything you [...]
Pingback by Hiding Wordpress admin directory | Bindanaku — April 2, 2007 @ 9:14 am
[...] the directories. Michi Kono has written a tutorial on how to rename and protect the WordPress administration folder (wp-admin). You can also apply this to specific directories one by [...]
Pingback by Protect Important Folders in your Blog by Blog Tutorials — June 20, 2007 @ 5:23 am
This sounds like a great solution, but I followed this article exactly and couldn’t get the new admin to show up (404 page not found).
Comment by Cory Duncan — August 8, 2007 @ 4:05 pm
How about adding a simple authentication on top of the wp-admin folder instead of rewriting the url? That would also secure your site a bit more without breaking anything. I am talking about what is known as htpasswd authentication for Apache
Comment by Sameer — August 9, 2007 @ 5:24 am
You mean like http://www.askapache.com/wordpress/htaccess-password-protect.html
Very cool tip Michi!
Comment by AskApache — August 13, 2007 @ 9:46 pm
[...] You might want to consider changing the name of the admin folder, wp-admin. While I don’t think this should be the first thing you do, you can find details in an excellent article by Michi. [...]
Pingback by The First 5 Steps for Stronger Wordpress Security at Ramness.com — August 18, 2007 @ 3:40 pm
[...] that WordPress is a higher visibility target Phrixus suggested hiding the wp-admin directory as an extra level of protection against automated vulnerability/brute-force attacks which I shall [...]
Pingback by Notes on the move to WordPress at DamienG — September 4, 2007 @ 2:36 am
Hi Michi,
Thanks for your post. I finally able to hide the wp-admin. I have some question here. I don’t understand your first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263 since I can’t find wp-admin on those line.
I having error 404 uploading the images. Is there any code that I can add in to solved this issue ? Thanks again !!
Comment by legendchew — October 10, 2007 @ 11:29 am
Hi Chew,
Thanks for the comment. Let me help you out:
1. The line numbers might not be exact, but you are changing references to “wp-admin” to your new folder name in the functions edit_post_link and edit_comment_link.
2. Edit the wp-admin/upload-functions.php file. Change ALL references from “wp-admin/” to your new folder name.
I realize now there is an even more elegant way to do this hack that will be much more future proof. Thank you for your inspiring comment and look for an update one of these weekends.
Comment by Michi — October 10, 2007 @ 10:32 pm
Hi Michi,
Thanks for the reply. I think the version(I’m using wp 2.3) that I used is totally different from yours. The link of the page have change I guess. I think I need to go through every php file and have a look on it. Will try to do that when I free.
Well what I do right now is whenever I need to update an image or delete page, I will remove the .htaccess file. After I have done the modification, I will replace it back.
Be the way, can I hide the wp-login.php in the address link and just want it show as a domain only like “http://legendchew.com/” instead of “http://legendchew.com/wp-login.php”.
Sorry that I noob on this.
I wish you could help me on this.
Thank’s again.
Comment by legendchew — October 13, 2007 @ 8:30 am
You can use modrewrite rules to accomplish that goal. The entry would look something like:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^/$ /wp-login.php [NC,L]
I haven’t tested this, and it depends on your server settings. That last line might alternatively look like:
RewriteRule ^$ wp-login.php [NC,L]
or…
RewriteRule ^/webfolder/$ webfolder/wp-login.php [NC,L]
Let me know if none of these work.
A last resort is:
RewriteRule .* /wp-login.php [NC,L]
But that will redirect all 404 requests, which may be highly undesired.
Comment by Michi — October 14, 2007 @ 1:27 pm
I have tried it none of it work.If I included “RewriteRule . /index.php [L]” code get error: 500 Internal Server Error.
Is alright don’t worry.
Comment by legendchew — October 15, 2007 @ 11:07 am
ah, i bet i know why… the “.” being changed to “/index.php” causes an infinite loop since “/index.php” matches with “.” (when the rules are run again). ALL of the solutions I posted require the two RewriteConds. This ensures that the looping won’t happen. Did you include that?
Comment by Michi — October 15, 2007 @ 2:02 pm
Hi Michi,
I’m sorry for the late reply.I tried everything still the same issue. Is alright, I just leave it that way. Don’t worry, be happy.
Comment by legendchew — October 26, 2007 @ 11:29 am
[...] CMS. I become so lazy of writing code again. I think here is the perfect solution for you Michi Knows - Who Else Wants to Hide Their Wordpress Folder? __________________ SEO [...]
Pingback by Wordpress Dicussion - Page 8 - Webmaster Malaysia Forum — October 29, 2007 @ 6:24 pm
hm, i’ve tried to do just like you said but no result….
sometimes it domain.tld/wp-admin works, sometimes don’t, sometimes domain.tld/NEWNAME is ok but domain.tld/NEWNAME/ is not, etc.
can you please post full .htaccess file here for WP2.3.1, for dummies :)?
thanks in advance
za
Comment by zdenko — November 2, 2007 @ 10:12 am
Damn, that works great
Thanks for the tutorial Michi.
Comment by Ryan — December 15, 2007 @ 3:42 pm
For fellow users looking for a solution: Unfortunately this doesn’t work (or the rewritten url is such a critical information missing that it can render all the solution useless).
Anyhow: you will get 404 no matter what. Once the referrer changed the directory to the new name, it will not add the secret pwd to the query string any more. And then that’s it to it. Is a good intro on apache modules but don’t waste time on it.
Comment by Attila — January 7, 2008 @ 5:03 am
Attila - this works flawlessly for me, I’ve been using it for a month now with zero problems whatsoever. I assume you are doing something wrong or your server is setup oddly if you are having problems.
Comment by Ryan — January 9, 2008 @ 2:06 pm
Ryan, can you please post here your full .htaccess file, of course without folder name, password, sec. key etc?
thanks in advance
zdenko
Comment by zdenko — January 10, 2008 @ 5:00 am
The site is on an addon domain, so I’ve included the addon domain information as well. The site I’m using this on is running WordPress2.3.1 or 2.3 I think.
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
# For sites running on a port other than 80
RewriteCond %{HTTP_HOST} !^domain\.com\/addon\/ [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]
# For sites running on a port other than 80
RewriteCond %{HTTP_HOST} !^domain\.com\/addon [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]
# For sites running on a port other than 80
RewriteCond %{HTTP_HOST} !^addon\.domain\.com\ [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]
Comment by Ryan — January 10, 2008 @ 9:39 pm
Darn it, posted the wrong one the first time. Here goes …
# BEGIN WordPress
RewriteEngine On
RewriteBase /anything/
##### HACK TO CHANGE ADMIN FOLDER HERE #####
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !blablabla
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !boom
RewriteRule ^admin/(.*) wp-admin/$1?%{QUERY_STRING}&blablabla [L]
############################################
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /anything/index.php [L]
# END WordPress
Comment by Ryan — January 10, 2008 @ 9:42 pm
Actually this is very stupid .. you can access with /wp-login.php
Comment by Snap — January 12, 2008 @ 4:26 pm
Snap - how is this stupid exactly? If I go to (my test site) http://ryanhellyer.net/test/activedesign/wp-login.php it redirects to the old http://ryanhellyer.net/test/activedesign/wp-admin/ folder and so gets a 404 error. I can’t see any problems with this method at all and it was easy to implement.
Comment by Ryan — January 12, 2008 @ 7:09 pm
Ryan, it does not redirect…
Comment by Haroun — March 16, 2008 @ 1:49 am
Now try to modify a page : error 500 internal…
There’s some bugs…
Comment by Haroun — March 16, 2008 @ 1:54 am
Ok I found why it didn’t work…
Comment by Haroun — March 16, 2008 @ 2:25 am
What about taking it one step further and masking wp-content so when people view the source they’re not seeing the path those files in your plugins. Is that achieved a similar way?
Comment by Jeromy — March 19, 2008 @ 12:58 pm
This works great apart from a few issues - some plugins I use (namely Search Regex, Search Unleached, Audit Trail and Custom Write Panel) stop working or disapear from the Edit meny.
Comment by Manne — March 28, 2008 @ 1:17 pm
hello, me again
i wonder if this solutions depends on server config (it is *nix box :))?
i put in my htaccess file just these 3 lines
”
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !blabla
RewriteRule .*\.php [F,L]
”
and still able to open either TLD/wp-admin/ or TLD/wp-admin or TLD/wp-admin/index.php
what i have to do to make this great idea work with me :(?
thanks,
zdenko
Comment by zdenko — May 15, 2008 @ 10:58 am
I love the idea of making my wp-admin folder hidden, but I am having a problem: my .htaccess file isn’t in my root folder (where WP is installed), and therefore when I’m trying to edit it, even when I upload it I don’t get the desired changes. What can I do?
Comment by Sophie — June 17, 2008 @ 3:29 pm
Ok, reading through some of the comments,
it appears as if there was? some bugs in the original code?
I still don’t understand exactly where in the .htaccess file
to put the above code…
I am blocking about 100 ip addresses, do I put it after that or before?
Comment by mike — July 4, 2008 @ 9:41 pm
“Oh, and if any Wordpress developers ever read this, please make the word press admin folder be a variable name you can change! It is retarded that it is a hard coded.”
How about making any “front facing” directory be a variable. I don’t like wp-content, wp-includes, etc. I’d like to be able to change what they are named and where they are located. I don’t like advertising, what my site is running on. I don’t mind sharing that info for those who ask, but please make it a little harder for those sniffing around to do malicious activity. That is one of the few things I dislike about WordPress.
Sophie: you can have more than 1 .htaccess file, create a new one and put it in the same directory your wordpress install is in, in your case in your root directory.
Comment by waldo — July 11, 2008 @ 5:28 am
WordPress is free. Development is not.
Comment by Jones — July 19, 2008 @ 10:27 pm
Hi Michi. Thanks for that post. I have to ask a question. When i try to open /wp-admin/ or one of its subpages sometimes it redirects to 404 page.
I’m using permalinks on my blog, so i think this problem occurs because Wordpress thinks /wp-admin is a permalink. I don’t know why it’s happening sometimes.
To avoid this, i think i have to write to .htaccess “if it’s /wp-admin/ don’t use wordpress’ permalink structure”. But i don’t know how to write it.
Is there a way to do this? And have you ever faced with that kind of a problem?
Thanks.
Comment by blabla — July 23, 2008 @ 4:43 am
Nice. Very nice.
Comment by Jonathan — August 24, 2008 @ 3:46 pm
[...] Hiding your Admin Directory→ [...]
Pingback by Hiding your Admin Directory :: WPLover — September 10, 2008 @ 8:54 pm
Strange, but it doesn’t work with 2.6.2 version on my server. I’m unable to log in neither with “mysite.com/wp-admin/?YOURSECRETWORDHERE” nor with “mysite.com/ADMINFOLDER/”. It opened login page, but didn’t let me in. I have setup and used my words instead of ADMINFOLDER and YOURSECRETWORDHERE of course. All wp-admin files were in the ADMINFOLDER. Could you please tell of any updates to this solution? Does it work on your blog with 2.6.2 WP?
Comment by Edward — October 2, 2008 @ 8:33 am
if you open any file inside /wp-admin/ files all variables are
require_once(ABSPATH . ‘wp-admin/admin-header.php’);
so it not only the Rewrite rulle
Comment by Yannis Kolovos — October 7, 2008 @ 2:18 pm
Thanks Michi for this very detailed tutorial
However, I’m having the exact same problem as Edward just above on the impossibility to login.
Could you or anyone help on this issue please?
Comment by Marc — October 10, 2008 @ 10:04 am
Same problem on 2.6.2, can’t login.
Comment by Jonathan — October 10, 2008 @ 3:10 pm