«
»

Who Else Wants to Hide Their WordPress Folder?

February 12, 2007, 4:18 am

Tonight, I solved a very old problem in WordPress security among novice users. I will show you how to hide your WordPress admin directory while still being able to use it! When I say “hide,” I mean you can rename the wp-admin folder to whatever you want!

The Code (for people who don’t want to read)

Copy and paste the following into your .htaccess file (located wherever your WordPress folder is) to “rename” your wp-admin folder! If you are having trouble editing your .htaccess file, you should Google around for that as it’s beyond the scope of this article (or post a question in the comments and maybe another person can help).

  • Change YOURSECRETWORDHERE to something else. It can be any word you want. Just make sure it’s unique and somewhat long. Make it, like, your pets name or something random. Read this post to understand why this matters.
  • Change ADMINFOLDER to the new folder name you want. Letters, numbers, underscores, and dashes only. That ^ in front of it is on purpose. Don’t delete that.

RewriteEngine On
RewriteBase /
##### ABOVE THIS POINT IS ALREADY INSERTED BY WORD PRESS
##### Michi’s code is BELOW #####
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^ADMINFOLDER/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
##### Michi’s code is ABOVE #####
##### BELOW THIS POINT IS ALREADY INSERTED BY WORD PRESS
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Note: there are a few drawbacks to this hack. Read the bottom of this post for those.

The Explanation

My adventure started when I read a pretty terrible piece of advice that suggested using the .htaccess file to restrict who sees your admin section by IP. Great, so if I’m at work, I can’t login. So if my IP changes, I can’t login. If I’m at Starbucks, I can’t login. That’s retarded. That’s not a solution!

But it’s on the right track. The .htaccess file can do a lot.

Oh, and if any WordPress developers ever read this, please make the word press admin folder be a variable name you can change! It is retarded that it is a hard coded.

The .htaccess file shines best when it is used for URL rewriting rules. For you non-programmers, the next block explains a little about what I just said. If you don’t care, skip it.

It is good for making URLs access files that don’t necessarily exist on the server exactly as they appear in the URL. For example, Digg.com uses URL rewrites to hide file and variable names. So the URL digg.com/videos certainly does not point to a file or folder actually called “videos”. Rather, it probably turns into something like digg.com/somefilename.ext?type=videos. The point is, you can hide what’s actually happening behind the scenes. I hope you get the idea.

Disabling the wp-admin Folder and Creating a Secret Mirror Folder

There are two steps in blocking access to the wp-admin folder. Disabling it is easy, but making it still functional is the hard part. Additionally, there are CSS files and other dependencies in that folder that must still be used. So after disabling it, a condition must be added that makes it only be disabled when appropriate.

RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]

  1. The first line says “If the word wp-admin is found in the URL…”
  2. The second line says, “And if the query is missing our password…
  3. The third line says “And it’s a PHP file… Deny access.”

We’ll get to that password thing in a minute. At this point, if you visit wp-admin/, it will not work. Half way there!

The next part is the guts of it all. We get to set our very own admin folder! I want to call my admin folder “secret_room”. So here’s how the code would look:

RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]

This next block is for you technically oriented people:

The first part basically makes sure the rule doesn’t trigger itself later (recursive condition). This is basically saying “if the URL starts with ‘secret_room,’ then replace that part with wp-admin. Then, add in the query string (things after the question mark). Finally, add in the secret word.”

Now, if I go to the folder secret_room/, it will work just like wp-admin used to!

Don’t use “secret_room.” That’s my example. You use whatever folder name you want. Letters, numbers, underscores, and dashes only.

But we’re not done yet. That secret word thing needs to be customized. Why? Well, try this. Go to your blog’s wp-admin folder, but this time, add on “?YOURSECRETWORDHERE” on the end and it will work too (as in, myblog.com/wp-admin/?YOURSECRETWORDHERE)! Curious why? If you’re a little geeky, read the next block. Otherwise, skip it.

Well, this hack works by changing the URL you type in by adding that “secret word” on the end of it. It only does this when someone visits the “secret_room” folder. But it doesn’t add it on when you just type in the wp-admin/ folder (or any other location). Then, when someone is looking at a wp-admin folder, it looks to see if that secret word is in the URL. If you went to the URL by hand, you likely did not type that word in. But the “secret_room” always makes sure the secret word is attached. This is how it distinguishes between visiting wp-admin directly, and visiting it through the mirror folder. Remember that any re-writing of the URL happens behind the scenes, so your browser won’t show you what’s going on.

Since I just gave this same code to about 10,000 people, it’s in your best interest to change your secret word to be unique to you. Note that nobody will ever see it, including you. You will forget what it is, and realistically, it doesn’t matter what the hell you set it to. As long as it’s not the default one I just gave to you. Ideally, it should be long and something highly unlikely to appear in a URL. Try your name, then maybe add your favorite color. I don’t know. Just do something random. Case matters.

Here is what the final .htaccess, ideally, should look like:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
# BEGIN WordPress
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Benefits and Drawbacks to Hiding wp-admin

This hack has its drawbacks.

  • The “edit” link on your posts will no longer work. You may want to remove it from your theme.
  • The admin link on your side bar will no longer work. You may want to remove it from your theme.
  • The standard login link will no longer work. Instead, use a bookmark as it will redirect you back to your hidden login page after you finish logging in.

Note that the first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263. Change “wp-admin” to your new folder name. However, this hack would need to be re-done if you upgrade WordPress. If you make these hacks, it will only be visible to users who have permission to see these links anyway.

There are a few significant upsides:

  • If ever again there is another vulnerability that hits the WordPress wp-admin folder, you are very likely immune.
  • Upgrading WordPress doesn’t un-hide the folder. It will persist through upgrades.

Remember, this hack will not protect you from having an insecure admin password. Although, it could protect you from a hacker since he won’t know where to go after successfully logging in (hah!).

Lastly, be careful when doing this. If you type something wrong, you’ll get server errors (I believe error code 500). Make sure you type it in exactly as you see it in these examples first. Then change one part at a time.

Changing the Admin User

One other point I noticed when tightening up my security was the default admin user name. Now, hah, this is assuming they actually brute force my password and then figure out how to get to the admin folder… good luck.

I noticed that I had an admin user account under the login name “admin”. Well, that’s a no-brainer. I went into the database and ran the following query:

UPDATE wpt_users SET user_login = ‘[my new username]‘, user_nicename = ‘[my new username]‘ WHERE wpt_users.ID = 1 LIMIT 1;

That solves another part of the problem. Now hackers have to guess not only my password, but also my username.

In Closing…

If you like what you’ve read, I’d appreciate it if you could Digg/Reddit/Stumble this article. :)

Be Sociable, Share!
    Tags: ,
    Category: Uncategorized  |  Comment (RSS)  |  Trackback

    • Pingback: Devlounge | Wordpress Security Alert

    • Pingback: Country Keepers by Gary Petersen » Blog Archive » Hiding Your WordPress Admin Folder

    • http://blog.bindanaku.com Bindanaku

      Thanks for the great how-to!

    • Pingback: Hiding Wordpress admin directory | Bindanaku

    • Pingback:   Protect Important Folders in your Blog by Blog Tutorials

    • http://coryduncan.com Cory Duncan

      This sounds like a great solution, but I followed this article exactly and couldn’t get the new admin to show up (404 page not found).

    • http://www.sharpdeveloper.net/content/ Sameer

      How about adding a simple authentication on top of the wp-admin folder instead of rewriting the url? That would also secure your site a bit more without breaking anything. I am talking about what is known as htpasswd authentication for Apache

    • http://www.askapache.com/wordpress/htaccess-password-protect.html AskApache

    • Pingback: The First 5 Steps for Stronger Wordpress Security at Ramness.com

    • Pingback: Notes on the move to WordPress at DamienG

    • http://legendchew.com legendchew

      Hi Michi,

      Thanks for your post. I finally able to hide the wp-admin. I have some question here. I don’t understand your first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263 since I can’t find wp-admin on those line.

      I having error 404 uploading the images. Is there any code that I can add in to solved this issue ? Thanks again !!

    • http://www.michikono.com Michi

      Hi Chew,

      Thanks for the comment. Let me help you out:

      1. The line numbers might not be exact, but you are changing references to “wp-admin” to your new folder name in the functions edit_post_link and edit_comment_link.

      2. Edit the wp-admin/upload-functions.php file. Change ALL references from “wp-admin/” to your new folder name.

      I realize now there is an even more elegant way to do this hack that will be much more future proof. Thank you for your inspiring comment and look for an update one of these weekends. :)

    • http://legendchew.com legendchew

      Hi Michi,

      Thanks for the reply. I think the version(I’m using wp 2.3) that I used is totally different from yours. The link of the page have change I guess. I think I need to go through every php file and have a look on it. Will try to do that when I free.

      Well what I do right now is whenever I need to update an image or delete page, I will remove the .htaccess file. After I have done the modification, I will replace it back.

      Be the way, can I hide the wp-login.php in the address link and just want it show as a domain only like “http://legendchew.com/” instead of “http://legendchew.com/wp-login.php”.

      Sorry that I noob on this. :)

      I wish you could help me on this.

      Thank’s again.

    • http://www.michikono.com Michi

      You can use modrewrite rules to accomplish that goal. The entry would look something like:

      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteRule ^/$ /wp-login.php [NC,L]

      I haven’t tested this, and it depends on your server settings. That last line might alternatively look like:

      RewriteRule ^$ wp-login.php [NC,L]

      or…

      RewriteRule ^/webfolder/$ webfolder/wp-login.php [NC,L]

      Let me know if none of these work.

      A last resort is:

      RewriteRule .* /wp-login.php [NC,L]

      But that will redirect all 404 requests, which may be highly undesired.

    • http://legendchew.com legendchew

      I have tried it none of it work.If I included “RewriteRule . /index.php [L]” code get error: 500 Internal Server Error.

      Is alright don’t worry. :)

    • Michi

      ah, i bet i know why… the “.” being changed to “/index.php” causes an infinite loop since “/index.php” matches with “.” (when the rules are run again). ALL of the solutions I posted require the two RewriteConds. This ensures that the looping won’t happen. Did you include that?

    • http://legendchew.com legendchew

      Hi Michi,
      I’m sorry for the late reply.I tried everything still the same issue. Is alright, I just leave it that way. Don’t worry, be happy. :D

    • Pingback: Wordpress Dicussion - Page 8 - Webmaster Malaysia Forum

    • http:/// zdenko

      hm, i’ve tried to do just like you said but no result….
      sometimes it domain.tld/wp-admin works, sometimes don’t, sometimes domain.tld/NEWNAME is ok but domain.tld/NEWNAME/ is not, etc.

      can you please post full .htaccess file here for WP2.3.1, for dummies :) ?

      thanks in advance
      za

    • http://ryanhellyer.net/ Ryan

      Damn, that works great :) Thanks for the tutorial Michi.

    • Attila

      For fellow users looking for a solution: Unfortunately this doesn’t work (or the rewritten url is such a critical information missing that it can render all the solution useless).
      Anyhow: you will get 404 no matter what. Once the referrer changed the directory to the new name, it will not add the secret pwd to the query string any more. And then that’s it to it. Is a good intro on apache modules but don’t waste time on it.

    • http://ryanhellyer.net/ Ryan

      Attila – this works flawlessly for me, I’ve been using it for a month now with zero problems whatsoever. I assume you are doing something wrong or your server is setup oddly if you are having problems.

    • http://- zdenko

      Ryan, can you please post here your full .htaccess file, of course without folder name, password, sec. key etc?

      thanks in advance
      zdenko

    • http://flytrapgrowing.info/ Ryan

      The site is on an addon domain, so I’ve included the addon domain information as well. The site I’m using this on is running WordPress2.3.1 or 2.3 I think.

      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]

      # END WordPress

      # For sites running on a port other than 80
      RewriteCond %{HTTP_HOST} !^domain\.com\/addon\/ [NC]
      RewriteCond %{HTTP_HOST} !^$
      RewriteCond %{SERVER_PORT} !^80$
      RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]

      # For sites running on a port other than 80
      RewriteCond %{HTTP_HOST} !^domain\.com\/addon [NC]
      RewriteCond %{HTTP_HOST} !^$
      RewriteCond %{SERVER_PORT} !^80$
      RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]

      # For sites running on a port other than 80
      RewriteCond %{HTTP_HOST} !^addon\.domain\.com\ [NC]
      RewriteCond %{HTTP_HOST} !^$
      RewriteCond %{SERVER_PORT} !^80$
      RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]

    • http://flytrapgrowing.info/ Ryan

      Darn it, posted the wrong one the first time. Here goes …

      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /anything/

      ##### HACK TO CHANGE ADMIN FOLDER HERE #####
      RewriteCond %{REQUEST_URI} wp-admin/
      RewriteCond %{QUERY_STRING} !blablabla
      RewriteRule .*\.php [F,L]
      RewriteCond %{QUERY_STRING} !boom
      RewriteRule ^admin/(.*) wp-admin/$1?%{QUERY_STRING}&blablabla [L]
      ############################################

      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /anything/index.php [L]

      # END WordPress

    • Snap

      Actually this is very stupid .. you can access with /wp-login.php

    • http://flytrapgrowing.info/ Ryan

      Snap – how is this stupid exactly? If I go to (my test site) http://ryanhellyer.net/test/activedesign/wp-login.php it redirects to the old http://ryanhellyer.net/test/activedesign/wp-admin/ folder and so gets a 404 error. I can’t see any problems with this method at all and it was easy to implement.

    • Haroun

      Ryan, it does not redirect…

    • Haroun

      Now try to modify a page : error 500 internal…

      There’s some bugs…

    • Haroun

      Ok I found why it didn’t work…

    • Jeromy

      What about taking it one step further and masking wp-content so when people view the source they’re not seeing the path those files in your plugins. Is that achieved a similar way?

    • Manne

      This works great apart from a few issues – some plugins I use (namely Search Regex, Search Unleached, Audit Trail and Custom Write Panel) stop working or disapear from the Edit meny.

    • http://- zdenko

      hello, me again :)

      i wonder if this solutions depends on server config (it is *nix box :) )?

      i put in my htaccess file just these 3 lines


      RewriteCond %{REQUEST_URI} wp-admin/
      RewriteCond %{QUERY_STRING} !blabla
      RewriteRule .*\.php [F,L]

      and still able to open either TLD/wp-admin/ or TLD/wp-admin or TLD/wp-admin/index.php

      what i have to do to make this great idea work with me :( ?

      thanks,
      zdenko

    • Sophie

      I love the idea of making my wp-admin folder hidden, but I am having a problem: my .htaccess file isn’t in my root folder (where WP is installed), and therefore when I’m trying to edit it, even when I upload it I don’t get the desired changes. What can I do?

    • mike

      Ok, reading through some of the comments,
      it appears as if there was? some bugs in the original code?

      I still don’t understand exactly where in the .htaccess file
      to put the above code…

      I am blocking about 100 ip addresses, do I put it after that or before?

    • waldo

      “Oh, and if any WordPress developers ever read this, please make the word press admin folder be a variable name you can change! It is retarded that it is a hard coded.”

      How about making any “front facing” directory be a variable. I don’t like wp-content, wp-includes, etc. I’d like to be able to change what they are named and where they are located. I don’t like advertising, what my site is running on. I don’t mind sharing that info for those who ask, but please make it a little harder for those sniffing around to do malicious activity. That is one of the few things I dislike about WordPress.

      Sophie: you can have more than 1 .htaccess file, create a new one and put it in the same directory your wordpress install is in, in your case in your root directory.

    • Jones

      WordPress is free. Development is not.

    • blabla

      Hi Michi. Thanks for that post. I have to ask a question. When i try to open /wp-admin/ or one of its subpages sometimes it redirects to 404 page.

      I’m using permalinks on my blog, so i think this problem occurs because WordPress thinks /wp-admin is a permalink. I don’t know why it’s happening sometimes.

      To avoid this, i think i have to write to .htaccess “if it’s /wp-admin/ don’t use wordpress’ permalink structure”. But i don’t know how to write it.

      Is there a way to do this? And have you ever faced with that kind of a problem?

      Thanks.

    • http://jonlandrum.com/ Jonathan

      Nice. Very nice.

    • Pingback: Hiding your Admin Directory :: WPLover

    • Edward

      Strange, but it doesn’t work with 2.6.2 version on my server. I’m unable to log in neither with “mysite.com/wp-admin/?YOURSECRETWORDHERE” nor with “mysite.com/ADMINFOLDER/”. It opened login page, but didn’t let me in. I have setup and used my words instead of ADMINFOLDER and YOURSECRETWORDHERE of course. All wp-admin files were in the ADMINFOLDER. Could you please tell of any updates to this solution? Does it work on your blog with 2.6.2 WP?

    • Yannis Kolovos

      if you open any file inside /wp-admin/ files all variables are

      require_once(ABSPATH . ‘wp-admin/admin-header.php’);
      so it not only the Rewrite rulle

    • Marc

      Thanks Michi for this very detailed tutorial :)

      However, I’m having the exact same problem as Edward just above on the impossibility to login.

      Could you or anyone help on this issue please?

    • Jonathan

      Same problem on 2.6.2, can’t login.

    • http://www.behindthehype.com Redmanthatcould

      Sophie / mike,

      Most hosts do not make the .htaccess file initially visible in your FTP client, or a file manager. There is usually a way to “show hidden files” depending on your host, and then you can edit your file.

      That being said, I have a feeling Michi’s hack is technically ancient at this point. Gave it a quick try with no success, but I certainly appreciate the effort and help.

      I’m going to do a little more snooping and see if I can find myself a more up-to-date solution. :)

    • kx
    • http://clubmp3z.com clubmp3z

      thats what im looking for, cheerz

    • http://clubmp3z.com clubmp3z

      cannot do the last line
      RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
      because when I open url/secret_room/ it get back to
      url/wp-login.php?redirect_to=http://url/secret_room/
      and looping over and over
      instead of url/wp-admin/?YOURSECRETWORDHERE
      cheerz

    • http://clubmp3z.com clubmp3z

      please mail me whenever an updat available
      cheerz

    • Pingback: My WP Admin Sign-In is indexed, how to remove?

    • Luke

      In order to get this to work with recent versions (tested up to 2.7.1) where you experience a redirect back to the login page when you try to log into your site, you need to make one small tweak to /wp-settings.php.

      Look for: define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘wp-admin’ );
      Modify to: define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘ADMINFOLDER’ );
      (Where “ADMINFOLDER” is the name you have chosen to rename your admin directory to.)

      You can also avoid modification of a core file by placing the following in your wp-config file:

      define( ‘ADMIN_COOKIE_PATH’, ‘http://your-domain.tld/ADMINFOLDER‘ );

      (Again, where “ADMINFOLDER” is the name you have chosen to rename your admin directory to, and changing the url to match your own.)

      By only making the above change the original solution works as described.

    • uttam

      unable to login when i add rewrite code.

    • uttam

      thanks for this post………

      It works perfect.

    • Pingback: Ицката - Блог на Христо Чакъров, Ickata - Blog of Hristo Chakarov » Как да защитим WordPress

    • Ian PL

      Thank you very much. Greetings

    • http://www.rutley.co.uk/ Sam

      Some good tips there Michi, thanks.

    • http://www.justinwheeler.net Justin

      Bloody Marvellous!

      Thanks so much.

      Worth noting cos it caused me some grief that you need to put the / at the end of your replacement for wp-admin.

    • http://www.justinwheeler.net Justin

      Oops, sorry I spoke too soon! Having played around with this including Luke’s hack I still can’t get this to work with 2.8.4.

      I could change the wp-admin directory but was completely unable to log in.

      Back to the drawing board!

    • http://electrogeek.info electrogeekinfo

      accessed from wp-login.php

      no use…….

    • Pingback: Proctecting wp-admin folder in wordpress | Webmaster Blog

    • http://ellisbenus.com Ellis Benus

      This is a great tutorial, and I am going to implement your fix immediately.

      However, I think this should be taken a step further and made to also hide any mention of wordpress or “wp-” inside a site.

      Therefore, no linking to wp-content/uploads/year/month

      A plugin should really be written to modify this functionality for the entire wordpress site so no one would have any idea that a website was running on wordpress, especially since WP is being used more and more as a CMS and not just a blogging platform.

      I am seriously considering doing this.


      Ellis Benus, Web Developer
      eb@ellisbenus.com
      573 355 9800

    • http://relevantmediasoloutions.com Joe

      Thanks for this! This is incredible.

    • priti

      Thxs for the gr8 trik :)

    • JS

      You’re pretty much a massive douche bag for going off on that guy like that, calling his advice terrible and “retarded”. For many users, restricting access by IP might be a fine solution. Furthermore, *your* arguments are “retarded”. If your IP changes, you SSH into your server and change the IP in .htaccess. If you’re at work and desperately need to login, you SSH into your server and change the IP in .htaccess. As Americans all learned after 9/11, sometimes we need to tolerate a bit of inconvenience in order to ensure our security.

      By the way, your solution amounts to “security through obscurity”, which any security professional will tell you is little better than having no security at all.

      Douche bag.

    • http://teknoinfo.web.id Raffaell

      Hi Michi,

      I’ve just use your .htaccess scripts for details below:
      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /

      # WP-ADMIN
      RewriteCond %{REQUEST_URI} wp-admin/
      RewriteCond %{QUERY_STRING} !theboss
      RewriteRule .*\.php [F,L]
      RewriteCond %{QUERY_STRING} !theboss
      RewriteRule ^bosslogin/(.*) wp-admin/$1?%{QUERY_STRING}&theboss [L]

      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]

      # END WordPress

      The problem is, I the scripts its works, but I cant login, its redirect me to the login page again, or to error 404

      I also add:
      define( ‘ADMIN_COOKIE_PATH’, ‘http://teknoinfo.web.id/bosslogin/‘);
      in wp-config.php but also not works.

      Can you advise on this ?

      • http://www.4u4m.net/ thanh

        i have a big problem ! it’s turn on 500 error when i try to redit the .htaccess file ! can any body help ? my host has problem ?

    • http://www.maorb.info Maor Barazany

      Can’t get it working with WP2.9.2
      It does work with the link – http://www.mydomain.com/wp-admin?secretkey
      but then all admic css is not loaded….
      Also, http://www.mydomain.com/new_admin doesn’t work either.

      Any idea or solution to that?
      Thanks

    • plutomilo

      hi Michi, can you help me with this, in the head section i wrote this:

      #Default
      ———–

      <link rel="stylesheet" type="text/css" href="” media=”screen” />
      <script src="/style/js/somescripts1.js” type=”text/javascript” charset=”utf-8″>
      <script src="/style/js/somescripts2.js” type=”text/javascript” charset=”utf-8″>
      <script src="/style/js/somescripts3.js” type=”text/javascript” charset=”utf-8″>

      and when we go to the webpage then right click, it will show:
      ——————————————————————

      content/themes/exampletheme/exampletheme/style/js/somescripts3.js” type=”text/javascript” charset=”utf-8″>

      ————————————————————————————-
      #Question:
      how to do and what should i do, so when we go to the webpage then right click it will show something like this:
      ————————————————————————————-

      or

      #End
      ——

      can you teach me or show me how to do that, any help highly appreciated, And im so sorry if my english not good.

      thank you in advance

    • Pingback: Michi Knows – Q: Hiding JS Files? A: Impossible

    • http://www.michikono.com Michi

      Plutomilo,

      Please take a look at my attempt to answer your question here:

      http://www.michiknows.com/2010/03/23/q-hiding-js-files-a-impossible/

    • Mel

      Any luck with how to make this with wordpress 2.9.2?
      Thanks in advance.

    • http://kb9.org/ Florence

      Hm, very good post, I must test this today. I hope I’d be able to do it successfully. However, I already did the last part, changing the default username. I simply created a new username, granted it administrator rights and then deleted the old default ‘admin’ username. But now, I have to see if I can successfully achieve the main lesson of your post.
      Michi, please tell me one thing, if I fail to hide the wp-admin, then if I set the .htaccess as it was before, then blog will go back to previous state or not?

    • http://www.riesurya.com riesurya

      Nice explanation Michi. It’s very interesting that (may be) some people tried to guessing (for hacking?) admin login area.

    • RichTheWebGuy

      Unfortunately Michi has not responded to all the problems listed here recently. I searched around and found this alternative. Looks quite nice so far.

      http://www.mawhorter.net/web-development/securing-wordpress-a-passive-method-for-preventing-unauthorized-requests-to-wp-admin-and-wp-login-php

      Or Google: Securing WordPress: A passive method for preventing unauthorized requests to wp-admin and wp-login.php

    • http://www.seomagnet.co.uk khalid

      we run wordpress on Windows server so we are unable to use the .htaccess any recommendation to how to change the admin location without the mod-rewrite

    • Pingback: Adam Breckler » How to camouflage wordpress

    • Mujahid Riaz

      It is nessary to rename the wp-admin folder to the name that you want to access the admin panal.Reply please

    • http://newyorkforum.us New York Forum

      Cool! You figures this out two (2) months before we first started using WordPress. Too bad we did not know of it back in April or even May.

      We will do a test with WP3.0.1 and if all goes well, it goes on our live site.

    • http://www.questdome.com LexNemesis

      It works great but with a few tweaks to it :) I’ll run you through the whole process.

      1. The .htaccess file looks something like this for a website installed on the root folder:

      RewriteEngine On
      RewriteBase /

      RewriteCond %{REQUEST_URI} wp-admin/
      RewriteCond %{QUERY_STRING} !blablabla
      RewriteRule .*\.php [F,L]
      RewriteCond %{QUERY_STRING} !kaboom
      RewriteRule ^hidden/(.*) wp-admin/$1?%{QUERY_STRING}&blablabla [L]

      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule .index.php [L]

      2. The .htaccess file looks a little different for a non-root site – something like this:

      RewriteEngine On
      RewriteBase /

      RewriteCond %{REQUEST_URI} MYDOMAIN/wp-admin/
      RewriteCond %{QUERY_STRING} !blablabla
      RewriteRule .*\.php [F,L]
      RewriteCond %{QUERY_STRING} !kaboom
      RewriteRule ^hidden/(.*) MYDOMAIN/wp-admin/$1?%{QUERY_STRING}&blablabla [L]

      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule .MYDOMAIN/index.php [L]

      3. Finally, if you’re using a more recent version of wordpress you’ll have to look in “wp-includes/default-constants.php” and change the line of code:

      “if ( !defined(‘ADMIN_COOKIE_PATH’) )
      define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘wp-admin’ )”

      to this:

      “if ( !defined(‘ADMIN_COOKIE_PATH’) )
      define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘hidden’ );”

      - where “hidden” is your newly assigned path – for example http://www.mysite.com/hidden instead of http://www.mysite.com/wp-admin

      Hope it works for you guys. Cheers!

      • Sailen Debnath

        Hi i am using this code but it not work nothing i can access.the code is
        ====
        RewriteEngine On
        RewriteBase /
        RewriteCond %{REQUEST_URI} wp-admin/
        RewriteCond %{QUERY_STRING} !blablabla
        RewriteRule .*.php [F,L]
        RewriteCond %{QUERY_STRING} !kaboom
        RewriteRule ^hidden/(.*)domen/ wp-admin/$1?%{QUERY_STRING}&blablabla [L]
        # BEGIN WordPress
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . domen/index.php [L]
        # END WordPress
        ====
        can you help me why it not work…

    • Carla

      Great help! Thanks for share =D

      But on my blog it seems not work exactly as should do. The new url takes me to the wp-admin area, but the url changes back to wp-admin. I mean, redirect but not rewrite. Firebug shows
      —-
      GET myblog.com/panel 301 Moved Permanently
      GET myblog.com/wp-admin 200 OK
      —-

      Could you help me please? any suggest is very welcome

    • http://grandemou.com grandemou

      Its not working for old wordpress 2.8, login screen goes to login screen
      For a new wordpress 3.0 works but css are not recognized

      Great idea but…

    • http://grandemou.com grandemou
    • http://zai3p.com/blog/ One

      Any updates with this? I’ve been trying this for 3.0.1 and nothing happens. Thanks!

    • http://www.twitter.com/mattauckland Matt Auckland

      Nice bit of code which works on non-worpress as well.

      I’ve made one change though. This line:

      RewriteRule .*\.php [F,L]

      Change it to this:

      RewriteRule .*\.php – [F,L]

      It will now display a correct 403 error in the browser.

    • undoo

      First of all, thank you very much for posting this method.
      Everything works perfectly, but I have one major problem

      After successfully logging in, it redirects to the dashboard BUT the formatting is completely messed up.
      It looks like its not pulling in some javascript files.

      Could you help me resolve this issue?

    • http://project707.com project707

      Has anybody found the WP 3.x solution yet?

      This seems to no longer be working, I’ve tried it in a couple different server environments.

      Thanks

    • sOliver

      project707 .. it’s probably pulling some css files from wp-admin/css/.

      Download totalcommander and search for wp-admin/css .. I’ll try that too, maybe we can find something to fix it

      • http://project707.com project707

        Actually it really seems that even the redirection bit itself isn’t functioning beyond just some assets not loading. It’s likely that is the issue undoo is facing though.

        I now work for a company that would likely be considered more “enterprise”, and though we use our own framework for most applications, it makes some sense to have some kind of cms that everyone is familiar with and is easy to deploy for the blog and news related parts of our sites – thing is in that environment people are certainly a bit more concerned about security, and this obfuscation of admin files at the very least is considered a crucial step to making an application as well known as WP secure.

        I kind of feel like this is something that should be possible on a more core app and admin-panel level, but maybe it means making it known that this is a concern for some of us who would still like to use the application…

      • Lazeg

        RewriteCond %{REQUEST_FILENAME} !load-styles.php
        RewriteRule .*.php [F,L]

        solved the css case.

    • http://giaothuongtructuyen.com/ thanh

      just say thanks much ! i will dig it !

    • Ronidhbd

      Hi,
      Everything is OK. But my password doesn’t work and I can’t log in. So, after adding the code, do I need to reset my admin user name and pass word via PHP-MyAdmin? Or please give the solution. Thank you.
      Regards,
      Roni

    • Sailen Debnath

      Hi i am using this code but it not work nothing i can access.the code is
      ====
      RewriteEngine On
      RewriteBase /
      RewriteCond %{REQUEST_URI} wp-admin/
      RewriteCond %{QUERY_STRING} !blablabla
      RewriteRule .*.php [F,L]
      RewriteCond %{QUERY_STRING} !kaboom
      RewriteRule ^hidden/(.*)domen/ wp-admin/$1?%{QUERY_STRING}&blablabla [L]
      # BEGIN WordPress
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . domen/index.php [L]
      # END WordPress
      ====
      can you help me why it not work…

    • http://muitapimenta.com Francis Rosário

      Someone have a NginX version of this  .htaccess?

    • Gustavo

      I’m using WordPress 3.2.1. and everything is ok with this solution but the “themes page” seems not loading the css files.

      • Freshcode

        Had the same problem. Try this (thanks to Lazeg):

            RewriteEngine On
            RewriteBase /
            # wp-admin aanpassen
            RewriteCond %{REQUEST_URI} wp-admin/
            RewriteCond %{REQUEST_FILENAME} !load-styles.php
            RewriteCond %{QUERY_STRING} !YOURSECRETWORD
            RewriteRule .*.php [F,L]
            RewriteCond %{QUERY_STRING} !YOURSECRETWORD
            RewriteRule ^YOURSECRETROOM/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORD [L]
            # wp-admin aanpassen
            RewriteRule ^index.php$ – [L]
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteRule . /index.php [L]