Who Else Wants to Hide Their WordPress Folder?

Tonight, I solved a very old problem in WordPress security among novice users. I will show you how to hide your WordPress admin directory while still being able to use it! When I say “hide,” I mean you can rename the wp-admin folder to whatever you want!

The Code (for people who don’t want to read)

Copy and paste the following into your .htaccess file (located wherever your WordPress folder is) to “rename” your wp-admin folder! If you are having trouble editing your .htaccess file, you should Google around for that as it’s beyond the scope of this article (or post a question in the comments and maybe another person can help).

  • Change YOURSECRETWORDHERE to something else. It can be any word you want. Just make sure it’s unique and somewhat long. Make it, like, your pets name or something random. Read this post to understand why this matters.
  • Change ADMINFOLDER to the new folder name you want. Letters, numbers, underscores, and dashes only. That ^ in front of it is on purpose. Don’t delete that.

RewriteEngine On
RewriteBase /
##### ABOVE THIS POINT IS ALREADY INSERTED BY WORD PRESS
##### Michi’s code is BELOW #####
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^ADMINFOLDER/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]

##### Michi’s code is ABOVE #####
##### BELOW THIS POINT IS ALREADY INSERTED BY WORD PRESS
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Note: there are a few drawbacks to this hack. Read the bottom of this post for those.

The Explanation

My adventure started when I read a pretty terrible piece of advice that suggested using the .htaccess file to restrict who sees your admin section by IP. Great, so if I’m at work, I can’t login. So if my IP changes, I can’t login. If I’m at Starbucks, I can’t login. That’s retarded. That’s not a solution!

But it’s on the right track. The .htaccess file can do a lot.

Oh, and if any WordPress developers ever read this, please make the word press admin folder be a variable name you can change! It is retarded that it is a hard coded.

The .htaccess file shines best when it is used for URL rewriting rules. For you non-programmers, the next block explains a little about what I just said. If you don’t care, skip it.

It is good for making URLs access files that don’t necessarily exist on the server exactly as they appear in the URL. For example, Digg.com uses URL rewrites to hide file and variable names. So the URL digg.com/videos certainly does not point to a file or folder actually called “videos”. Rather, it probably turns into something like digg.com/somefilename.ext?type=videos. The point is, you can hide what’s actually happening behind the scenes. I hope you get the idea.

Disabling the wp-admin Folder and Creating a Secret Mirror Folder

There are two steps in blocking access to the wp-admin folder. Disabling it is easy, but making it still functional is the hard part. Additionally, there are CSS files and other dependencies in that folder that must still be used. So after disabling it, a condition must be added that makes it only be disabled when appropriate.

RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]

  1. The first line says “If the word wp-admin is found in the URL…”
  2. The second line says, “And if the query is missing our password…
  3. The third line says “And it’s a PHP file… Deny access.”

We’ll get to that password thing in a minute. At this point, if you visit wp-admin/, it will not work. Half way there!

The next part is the guts of it all. We get to set our very own admin folder! I want to call my admin folder “secret_room”. So here’s how the code would look:

RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]

This next block is for you technically oriented people:

The first part basically makes sure the rule doesn’t trigger itself later (recursive condition). This is basically saying “if the URL starts with ‘secret_room,’ then replace that part with wp-admin. Then, add in the query string (things after the question mark). Finally, add in the secret word.”

Now, if I go to the folder secret_room/, it will work just like wp-admin used to!

Don’t use “secret_room.” That’s my example. You use whatever folder name you want. Letters, numbers, underscores, and dashes only.

But we’re not done yet. That secret word thing needs to be customized. Why? Well, try this. Go to your blog’s wp-admin folder, but this time, add on “?YOURSECRETWORDHERE” on the end and it will work too (as in, myblog.com/wp-admin/?YOURSECRETWORDHERE)! Curious why? If you’re a little geeky, read the next block. Otherwise, skip it.

Well, this hack works by changing the URL you type in by adding that “secret word” on the end of it. It only does this when someone visits the “secret_room” folder. But it doesn’t add it on when you just type in the wp-admin/ folder (or any other location). Then, when someone is looking at a wp-admin folder, it looks to see if that secret word is in the URL. If you went to the URL by hand, you likely did not type that word in. But the “secret_room” always makes sure the secret word is attached. This is how it distinguishes between visiting wp-admin directly, and visiting it through the mirror folder. Remember that any re-writing of the URL happens behind the scenes, so your browser won’t show you what’s going on.

Since I just gave this same code to about 10,000 people, it’s in your best interest to change your secret word to be unique to you. Note that nobody will ever see it, including you. You will forget what it is, and realistically, it doesn’t matter what the hell you set it to. As long as it’s not the default one I just gave to you. Ideally, it should be long and something highly unlikely to appear in a URL. Try your name, then maybe add your favorite color. I don’t know. Just do something random. Case matters.

Here is what the final .htaccess, ideally, should look like:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} wp-admin/
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule .*\.php [F,L]
RewriteCond %{QUERY_STRING} !YOURSECRETWORDHERE
RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
# BEGIN WordPress
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Benefits and Drawbacks to Hiding wp-admin

This hack has its drawbacks.

  • The “edit” link on your posts will no longer work. You may want to remove it from your theme.
  • The admin link on your side bar will no longer work. You may want to remove it from your theme.
  • The standard login link will no longer work. Instead, use a bookmark as it will redirect you back to your hidden login page after you finish logging in.

Note that the first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263. Change “wp-admin” to your new folder name. However, this hack would need to be re-done if you upgrade WordPress. If you make these hacks, it will only be visible to users who have permission to see these links anyway.

There are a few significant upsides:

  • If ever again there is another vulnerability that hits the WordPress wp-admin folder, you are very likely immune.
  • Upgrading WordPress doesn’t un-hide the folder. It will persist through upgrades.

Remember, this hack will not protect you from having an insecure admin password. Although, it could protect you from a hacker since he won’t know where to go after successfully logging in (hah!).

Lastly, be careful when doing this. If you type something wrong, you’ll get server errors (I believe error code 500). Make sure you type it in exactly as you see it in these examples first. Then change one part at a time.

Changing the Admin User

One other point I noticed when tightening up my security was the default admin user name. Now, hah, this is assuming they actually brute force my password and then figure out how to get to the admin folder… good luck.

I noticed that I had an admin user account under the login name “admin”. Well, that’s a no-brainer. I went into the database and ran the following query:

UPDATE wpt_users SET user_login = ‘[my new username]‘, user_nicename = ‘[my new username]‘ WHERE wpt_users.ID = 1 LIMIT 1;

That solves another part of the problem. Now hackers have to guess not only my password, but also my username.

In Closing…

If you like what you’ve read, I’d appreciate it if you could Digg/Reddit/Stumble this article. :)

  • Gustavo

    I’m using WordPress 3.2.1. and everything is ok with this solution but the “themes page” seems not loading the css files.

    • Freshcode

      Had the same problem. Try this (thanks to Lazeg):

          RewriteEngine On
          RewriteBase /
          # wp-admin aanpassen
          RewriteCond %{REQUEST_URI} wp-admin/
          RewriteCond %{REQUEST_FILENAME} !load-styles.php
          RewriteCond %{QUERY_STRING} !YOURSECRETWORD
          RewriteRule .*.php [F,L]
          RewriteCond %{QUERY_STRING} !YOURSECRETWORD
          RewriteRule ^YOURSECRETROOM/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORD [L]
          # wp-admin aanpassen
          RewriteRule ^index.php$ – [L]
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteRule . /index.php [L]

  • http://muitapimenta.com Francis Rosário

    Someone have a NginX version of this  .htaccess?

  • Sailen Debnath

    Hi i am using this code but it not work nothing i can access.the code is
    ====
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} wp-admin/
    RewriteCond %{QUERY_STRING} !blablabla
    RewriteRule .*.php [F,L]
    RewriteCond %{QUERY_STRING} !kaboom
    RewriteRule ^hidden/(.*)domen/ wp-admin/$1?%{QUERY_STRING}&blablabla [L]
    # BEGIN WordPress
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . domen/index.php [L]
    # END WordPress
    ====
    can you help me why it not work…

  • Ronidhbd

    Hi,
    Everything is OK. But my password doesn’t work and I can’t log in. So, after adding the code, do I need to reset my admin user name and pass word via PHP-MyAdmin? Or please give the solution. Thank you.
    Regards,
    Roni

  • http://giaothuongtructuyen.com/ thanh

    just say thanks much ! i will dig it !

  • sOliver

    project707 .. it’s probably pulling some css files from wp-admin/css/.

    Download totalcommander and search for wp-admin/css .. I’ll try that too, maybe we can find something to fix it

    • http://project707.com project707

      Actually it really seems that even the redirection bit itself isn’t functioning beyond just some assets not loading. It’s likely that is the issue undoo is facing though.

      I now work for a company that would likely be considered more “enterprise”, and though we use our own framework for most applications, it makes some sense to have some kind of cms that everyone is familiar with and is easy to deploy for the blog and news related parts of our sites – thing is in that environment people are certainly a bit more concerned about security, and this obfuscation of admin files at the very least is considered a crucial step to making an application as well known as WP secure.

      I kind of feel like this is something that should be possible on a more core app and admin-panel level, but maybe it means making it known that this is a concern for some of us who would still like to use the application…

    • Lazeg

      RewriteCond %{REQUEST_FILENAME} !load-styles.php
      RewriteRule .*.php [F,L]

      solved the css case.

  • http://project707.com project707

    Has anybody found the WP 3.x solution yet?

    This seems to no longer be working, I’ve tried it in a couple different server environments.

    Thanks

  • undoo

    First of all, thank you very much for posting this method.
    Everything works perfectly, but I have one major problem

    After successfully logging in, it redirects to the dashboard BUT the formatting is completely messed up.
    It looks like its not pulling in some javascript files.

    Could you help me resolve this issue?

  • http://www.twitter.com/mattauckland Matt Auckland

    Nice bit of code which works on non-worpress as well.

    I’ve made one change though. This line:

    RewriteRule .*\.php [F,L]

    Change it to this:

    RewriteRule .*\.php – [F,L]

    It will now display a correct 403 error in the browser.

  • http://zai3p.com/blog/ One

    Any updates with this? I’ve been trying this for 3.0.1 and nothing happens. Thanks!

  • http://grandemou.com grandemou
  • http://grandemou.com grandemou

    Its not working for old wordpress 2.8, login screen goes to login screen
    For a new wordpress 3.0 works but css are not recognized

    Great idea but…

  • Carla

    Great help! Thanks for share =D

    But on my blog it seems not work exactly as should do. The new url takes me to the wp-admin area, but the url changes back to wp-admin. I mean, redirect but not rewrite. Firebug shows
    —-
    GET myblog.com/panel 301 Moved Permanently
    GET myblog.com/wp-admin 200 OK
    —-

    Could you help me please? any suggest is very welcome

  • http://www.questdome.com LexNemesis

    It works great but with a few tweaks to it :) I’ll run you through the whole process.

    1. The .htaccess file looks something like this for a website installed on the root folder:

    RewriteEngine On
    RewriteBase /

    RewriteCond %{REQUEST_URI} wp-admin/
    RewriteCond %{QUERY_STRING} !blablabla
    RewriteRule .*\.php [F,L]
    RewriteCond %{QUERY_STRING} !kaboom
    RewriteRule ^hidden/(.*) wp-admin/$1?%{QUERY_STRING}&blablabla [L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule .index.php [L]

    2. The .htaccess file looks a little different for a non-root site – something like this:

    RewriteEngine On
    RewriteBase /

    RewriteCond %{REQUEST_URI} MYDOMAIN/wp-admin/
    RewriteCond %{QUERY_STRING} !blablabla
    RewriteRule .*\.php [F,L]
    RewriteCond %{QUERY_STRING} !kaboom
    RewriteRule ^hidden/(.*) MYDOMAIN/wp-admin/$1?%{QUERY_STRING}&blablabla [L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule .MYDOMAIN/index.php [L]

    3. Finally, if you’re using a more recent version of wordpress you’ll have to look in “wp-includes/default-constants.php” and change the line of code:

    “if ( !defined(‘ADMIN_COOKIE_PATH’) )
    define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘wp-admin’ )”

    to this:

    “if ( !defined(‘ADMIN_COOKIE_PATH’) )
    define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘hidden’ );”

    - where “hidden” is your newly assigned path – for example http://www.mysite.com/hidden instead of http://www.mysite.com/wp-admin

    Hope it works for you guys. Cheers!

    • Sailen Debnath

      Hi i am using this code but it not work nothing i can access.the code is
      ====
      RewriteEngine On
      RewriteBase /
      RewriteCond %{REQUEST_URI} wp-admin/
      RewriteCond %{QUERY_STRING} !blablabla
      RewriteRule .*.php [F,L]
      RewriteCond %{QUERY_STRING} !kaboom
      RewriteRule ^hidden/(.*)domen/ wp-admin/$1?%{QUERY_STRING}&blablabla [L]
      # BEGIN WordPress
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . domen/index.php [L]
      # END WordPress
      ====
      can you help me why it not work…

  • http://newyorkforum.us New York Forum

    Cool! You figures this out two (2) months before we first started using WordPress. Too bad we did not know of it back in April or even May.

    We will do a test with WP3.0.1 and if all goes well, it goes on our live site.

  • Mujahid Riaz

    It is nessary to rename the wp-admin folder to the name that you want to access the admin panal.Reply please

  • Pingback: Adam Breckler » How to camouflage wordpress

  • http://www.seomagnet.co.uk khalid

    we run wordpress on Windows server so we are unable to use the .htaccess any recommendation to how to change the admin location without the mod-rewrite

  • RichTheWebGuy

    Unfortunately Michi has not responded to all the problems listed here recently. I searched around and found this alternative. Looks quite nice so far.

    http://www.mawhorter.net/web-development/securing-wordpress-a-passive-method-for-preventing-unauthorized-requests-to-wp-admin-and-wp-login-php

    Or Google: Securing WordPress: A passive method for preventing unauthorized requests to wp-admin and wp-login.php

  • http://www.riesurya.com riesurya

    Nice explanation Michi. It’s very interesting that (may be) some people tried to guessing (for hacking?) admin login area.

  • http://kb9.org/ Florence

    Hm, very good post, I must test this today. I hope I’d be able to do it successfully. However, I already did the last part, changing the default username. I simply created a new username, granted it administrator rights and then deleted the old default ‘admin’ username. But now, I have to see if I can successfully achieve the main lesson of your post.
    Michi, please tell me one thing, if I fail to hide the wp-admin, then if I set the .htaccess as it was before, then blog will go back to previous state or not?

  • Mel

    Any luck with how to make this with wordpress 2.9.2?
    Thanks in advance.

  • http://www.michikono.com Michi

    Plutomilo,

    Please take a look at my attempt to answer your question here:

    http://www.michiknows.com/2010/03/23/q-hiding-js-files-a-impossible/

  • Pingback: Michi Knows – Q: Hiding JS Files? A: Impossible

  • plutomilo

    hi Michi, can you help me with this, in the head section i wrote this:

    #Default
    ———–

    <link rel="stylesheet" type="text/css" href="” media=”screen” />
    <script src="/style/js/somescripts1.js” type=”text/javascript” charset=”utf-8″>
    <script src="/style/js/somescripts2.js” type=”text/javascript” charset=”utf-8″>
    <script src="/style/js/somescripts3.js” type=”text/javascript” charset=”utf-8″>

    and when we go to the webpage then right click, it will show:
    ——————————————————————

    content/themes/exampletheme/exampletheme/style/js/somescripts3.js” type=”text/javascript” charset=”utf-8″>

    ————————————————————————————-
    #Question:
    how to do and what should i do, so when we go to the webpage then right click it will show something like this:
    ————————————————————————————-

    or

    #End
    ——

    can you teach me or show me how to do that, any help highly appreciated, And im so sorry if my english not good.

    thank you in advance

  • http://www.maorb.info Maor Barazany

    Can’t get it working with WP2.9.2
    It does work with the link – http://www.mydomain.com/wp-admin?secretkey
    but then all admic css is not loaded….
    Also, http://www.mydomain.com/new_admin doesn’t work either.

    Any idea or solution to that?
    Thanks

  • http://teknoinfo.web.id Raffaell

    Hi Michi,

    I’ve just use your .htaccess scripts for details below:
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /

    # WP-ADMIN
    RewriteCond %{REQUEST_URI} wp-admin/
    RewriteCond %{QUERY_STRING} !theboss
    RewriteRule .*\.php [F,L]
    RewriteCond %{QUERY_STRING} !theboss
    RewriteRule ^bosslogin/(.*) wp-admin/$1?%{QUERY_STRING}&theboss [L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    The problem is, I the scripts its works, but I cant login, its redirect me to the login page again, or to error 404

    I also add:
    define( ‘ADMIN_COOKIE_PATH’, ‘http://teknoinfo.web.id/bosslogin/’);
    in wp-config.php but also not works.

    Can you advise on this ?

    • http://www.4u4m.net/ thanh

      i have a big problem ! it’s turn on 500 error when i try to redit the .htaccess file ! can any body help ? my host has problem ?

  • JS

    You’re pretty much a massive douche bag for going off on that guy like that, calling his advice terrible and “retarded”. For many users, restricting access by IP might be a fine solution. Furthermore, *your* arguments are “retarded”. If your IP changes, you SSH into your server and change the IP in .htaccess. If you’re at work and desperately need to login, you SSH into your server and change the IP in .htaccess. As Americans all learned after 9/11, sometimes we need to tolerate a bit of inconvenience in order to ensure our security.

    By the way, your solution amounts to “security through obscurity”, which any security professional will tell you is little better than having no security at all.

    Douche bag.

  • priti

    Thxs for the gr8 trik :)

  • http://relevantmediasoloutions.com Joe

    Thanks for this! This is incredible.

  • http://ellisbenus.com Ellis Benus

    This is a great tutorial, and I am going to implement your fix immediately.

    However, I think this should be taken a step further and made to also hide any mention of wordpress or “wp-” inside a site.

    Therefore, no linking to wp-content/uploads/year/month

    A plugin should really be written to modify this functionality for the entire wordpress site so no one would have any idea that a website was running on wordpress, especially since WP is being used more and more as a CMS and not just a blogging platform.

    I am seriously considering doing this.


    Ellis Benus, Web Developer
    eb@ellisbenus.com
    573 355 9800

  • Pingback: Proctecting wp-admin folder in wordpress | Webmaster Blog

  • http://electrogeek.info electrogeekinfo

    accessed from wp-login.php

    no use…….

  • http://www.justinwheeler.net Justin

    Oops, sorry I spoke too soon! Having played around with this including Luke’s hack I still can’t get this to work with 2.8.4.

    I could change the wp-admin directory but was completely unable to log in.

    Back to the drawing board!

  • http://www.justinwheeler.net Justin

    Bloody Marvellous!

    Thanks so much.

    Worth noting cos it caused me some grief that you need to put the / at the end of your replacement for wp-admin.

  • http://www.rutley.co.uk/ Sam

    Some good tips there Michi, thanks.

  • Ian PL

    Thank you very much. Greetings

  • Pingback: Ицката - Блог на Христо Чакъров, Ickata - Blog of Hristo Chakarov » Как да защитим WordPress

  • uttam

    thanks for this post………

    It works perfect.

  • uttam

    unable to login when i add rewrite code.

  • Luke

    In order to get this to work with recent versions (tested up to 2.7.1) where you experience a redirect back to the login page when you try to log into your site, you need to make one small tweak to /wp-settings.php.

    Look for: define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘wp-admin’ );
    Modify to: define( ‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . ‘ADMINFOLDER’ );
    (Where “ADMINFOLDER” is the name you have chosen to rename your admin directory to.)

    You can also avoid modification of a core file by placing the following in your wp-config file:

    define( ‘ADMIN_COOKIE_PATH’, ‘http://your-domain.tld/ADMINFOLDER’ );

    (Again, where “ADMINFOLDER” is the name you have chosen to rename your admin directory to, and changing the url to match your own.)

    By only making the above change the original solution works as described.

  • Pingback: My WP Admin Sign-In is indexed, how to remove?

  • http://clubmp3z.com clubmp3z

    please mail me whenever an updat available
    cheerz

  • http://clubmp3z.com clubmp3z

    cannot do the last line
    RewriteRule ^secret_room/(.*) wp-admin/$1?%{QUERY_STRING}&YOURSECRETWORDHERE [L]
    because when I open url/secret_room/ it get back to
    url/wp-login.php?redirect_to=http://url/secret_room/
    and looping over and over
    instead of url/wp-admin/?YOURSECRETWORDHERE
    cheerz

  • http://clubmp3z.com clubmp3z

    thats what im looking for, cheerz

  • kx
  • http://www.behindthehype.com Redmanthatcould

    Sophie / mike,

    Most hosts do not make the .htaccess file initially visible in your FTP client, or a file manager. There is usually a way to “show hidden files” depending on your host, and then you can edit your file.

    That being said, I have a feeling Michi’s hack is technically ancient at this point. Gave it a quick try with no success, but I certainly appreciate the effort and help.

    I’m going to do a little more snooping and see if I can find myself a more up-to-date solution. :)

  • Jonathan

    Same problem on 2.6.2, can’t login.

  • Marc

    Thanks Michi for this very detailed tutorial :)

    However, I’m having the exact same problem as Edward just above on the impossibility to login.

    Could you or anyone help on this issue please?

  • Yannis Kolovos

    if you open any file inside /wp-admin/ files all variables are

    require_once(ABSPATH . ‘wp-admin/admin-header.php’);
    so it not only the Rewrite rulle

  • Edward

    Strange, but it doesn’t work with 2.6.2 version on my server. I’m unable to log in neither with “mysite.com/wp-admin/?YOURSECRETWORDHERE” nor with “mysite.com/ADMINFOLDER/”. It opened login page, but didn’t let me in. I have setup and used my words instead of ADMINFOLDER and YOURSECRETWORDHERE of course. All wp-admin files were in the ADMINFOLDER. Could you please tell of any updates to this solution? Does it work on your blog with 2.6.2 WP?

  • Pingback: Hiding your Admin Directory :: WPLover

  • http://jonlandrum.com/ Jonathan

    Nice. Very nice.

  • blabla

    Hi Michi. Thanks for that post. I have to ask a question. When i try to open /wp-admin/ or one of its subpages sometimes it redirects to 404 page.

    I’m using permalinks on my blog, so i think this problem occurs because WordPress thinks /wp-admin is a permalink. I don’t know why it’s happening sometimes.

    To avoid this, i think i have to write to .htaccess “if it’s /wp-admin/ don’t use wordpress’ permalink structure”. But i don’t know how to write it.

    Is there a way to do this? And have you ever faced with that kind of a problem?

    Thanks.

  • Jones

    WordPress is free. Development is not.

  • waldo

    “Oh, and if any WordPress developers ever read this, please make the word press admin folder be a variable name you can change! It is retarded that it is a hard coded.”

    How about making any “front facing” directory be a variable. I don’t like wp-content, wp-includes, etc. I’d like to be able to change what they are named and where they are located. I don’t like advertising, what my site is running on. I don’t mind sharing that info for those who ask, but please make it a little harder for those sniffing around to do malicious activity. That is one of the few things I dislike about WordPress.

    Sophie: you can have more than 1 .htaccess file, create a new one and put it in the same directory your wordpress install is in, in your case in your root directory.

  • mike

    Ok, reading through some of the comments,
    it appears as if there was? some bugs in the original code?

    I still don’t understand exactly where in the .htaccess file
    to put the above code…

    I am blocking about 100 ip addresses, do I put it after that or before?

  • Sophie

    I love the idea of making my wp-admin folder hidden, but I am having a problem: my .htaccess file isn’t in my root folder (where WP is installed), and therefore when I’m trying to edit it, even when I upload it I don’t get the desired changes. What can I do?

  • http://- zdenko

    hello, me again :)

    i wonder if this solutions depends on server config (it is *nix box :))?

    i put in my htaccess file just these 3 lines


    RewriteCond %{REQUEST_URI} wp-admin/
    RewriteCond %{QUERY_STRING} !blabla
    RewriteRule .*\.php [F,L]

    and still able to open either TLD/wp-admin/ or TLD/wp-admin or TLD/wp-admin/index.php

    what i have to do to make this great idea work with me :(?

    thanks,
    zdenko

  • Manne

    This works great apart from a few issues – some plugins I use (namely Search Regex, Search Unleached, Audit Trail and Custom Write Panel) stop working or disapear from the Edit meny.

  • Jeromy

    What about taking it one step further and masking wp-content so when people view the source they’re not seeing the path those files in your plugins. Is that achieved a similar way?

  • Haroun

    Ok I found why it didn’t work…

  • Haroun

    Now try to modify a page : error 500 internal…

    There’s some bugs…

  • Haroun

    Ryan, it does not redirect…

  • http://flytrapgrowing.info/ Ryan

    Snap – how is this stupid exactly? If I go to (my test site) http://ryanhellyer.net/test/activedesign/wp-login.php it redirects to the old http://ryanhellyer.net/test/activedesign/wp-admin/ folder and so gets a 404 error. I can’t see any problems with this method at all and it was easy to implement.

  • Snap

    Actually this is very stupid .. you can access with /wp-login.php

  • http://flytrapgrowing.info/ Ryan

    Darn it, posted the wrong one the first time. Here goes …

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /anything/

    ##### HACK TO CHANGE ADMIN FOLDER HERE #####
    RewriteCond %{REQUEST_URI} wp-admin/
    RewriteCond %{QUERY_STRING} !blablabla
    RewriteRule .*\.php [F,L]
    RewriteCond %{QUERY_STRING} !boom
    RewriteRule ^admin/(.*) wp-admin/$1?%{QUERY_STRING}&blablabla [L]
    ############################################

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /anything/index.php [L]

    # END WordPress

  • http://flytrapgrowing.info/ Ryan

    The site is on an addon domain, so I’ve included the addon domain information as well. The site I’m using this on is running WordPress2.3.1 or 2.3 I think.

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    # For sites running on a port other than 80
    RewriteCond %{HTTP_HOST} !^domain\.com\/addon\/ [NC]
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{SERVER_PORT} !^80$
    RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]

    # For sites running on a port other than 80
    RewriteCond %{HTTP_HOST} !^domain\.com\/addon [NC]
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{SERVER_PORT} !^80$
    RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]

    # For sites running on a port other than 80
    RewriteCond %{HTTP_HOST} !^addon\.domain\.com\ [NC]
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{SERVER_PORT} !^80$
    RewriteRule ^/(.*) http://addon.org:%{SERVER_PORT}/$1 [L,R]

  • http://- zdenko

    Ryan, can you please post here your full .htaccess file, of course without folder name, password, sec. key etc?

    thanks in advance
    zdenko

  • http://ryanhellyer.net/ Ryan

    Attila – this works flawlessly for me, I’ve been using it for a month now with zero problems whatsoever. I assume you are doing something wrong or your server is setup oddly if you are having problems.

  • Attila

    For fellow users looking for a solution: Unfortunately this doesn’t work (or the rewritten url is such a critical information missing that it can render all the solution useless).
    Anyhow: you will get 404 no matter what. Once the referrer changed the directory to the new name, it will not add the secret pwd to the query string any more. And then that’s it to it. Is a good intro on apache modules but don’t waste time on it.

  • http://ryanhellyer.net/ Ryan

    Damn, that works great :) Thanks for the tutorial Michi.

  • http:/// zdenko

    hm, i’ve tried to do just like you said but no result….
    sometimes it domain.tld/wp-admin works, sometimes don’t, sometimes domain.tld/NEWNAME is ok but domain.tld/NEWNAME/ is not, etc.

    can you please post full .htaccess file here for WP2.3.1, for dummies :)?

    thanks in advance
    za

  • Pingback: Wordpress Dicussion - Page 8 - Webmaster Malaysia Forum

  • http://legendchew.com legendchew

    Hi Michi,
    I’m sorry for the late reply.I tried everything still the same issue. Is alright, I just leave it that way. Don’t worry, be happy. :D

  • Michi

    ah, i bet i know why… the “.” being changed to “/index.php” causes an infinite loop since “/index.php” matches with “.” (when the rules are run again). ALL of the solutions I posted require the two RewriteConds. This ensures that the looping won’t happen. Did you include that?

  • http://legendchew.com legendchew

    I have tried it none of it work.If I included “RewriteRule . /index.php [L]” code get error: 500 Internal Server Error.

    Is alright don’t worry. :)

  • http://www.michikono.com Michi

    You can use modrewrite rules to accomplish that goal. The entry would look something like:

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^/$ /wp-login.php [NC,L]

    I haven’t tested this, and it depends on your server settings. That last line might alternatively look like:

    RewriteRule ^$ wp-login.php [NC,L]

    or…

    RewriteRule ^/webfolder/$ webfolder/wp-login.php [NC,L]

    Let me know if none of these work.

    A last resort is:

    RewriteRule .* /wp-login.php [NC,L]

    But that will redirect all 404 requests, which may be highly undesired.

  • http://legendchew.com legendchew

    Hi Michi,

    Thanks for the reply. I think the version(I’m using wp 2.3) that I used is totally different from yours. The link of the page have change I guess. I think I need to go through every php file and have a look on it. Will try to do that when I free.

    Well what I do right now is whenever I need to update an image or delete page, I will remove the .htaccess file. After I have done the modification, I will replace it back.

    Be the way, can I hide the wp-login.php in the address link and just want it show as a domain only like “http://legendchew.com/” instead of “http://legendchew.com/wp-login.php”.

    Sorry that I noob on this. :)

    I wish you could help me on this.

    Thank’s again.

  • http://www.michikono.com Michi

    Hi Chew,

    Thanks for the comment. Let me help you out:

    1. The line numbers might not be exact, but you are changing references to “wp-admin” to your new folder name in the functions edit_post_link and edit_comment_link.

    2. Edit the wp-admin/upload-functions.php file. Change ALL references from “wp-admin/” to your new folder name.

    I realize now there is an even more elegant way to do this hack that will be much more future proof. Thank you for your inspiring comment and look for an update one of these weekends. :)

  • http://legendchew.com legendchew

    Hi Michi,

    Thanks for your post. I finally able to hide the wp-admin. I have some question here. I don’t understand your first two drawbacks can be addressed by editing wp-includes/link-template.php: line 248 and 263 since I can’t find wp-admin on those line.

    I having error 404 uploading the images. Is there any code that I can add in to solved this issue ? Thanks again !!

  • Pingback: Notes on the move to WordPress at DamienG

  • Pingback: The First 5 Steps for Stronger Wordpress Security at Ramness.com

  • http://www.askapache.com/wordpress/htaccess-password-protect.html AskApache
  • http://www.sharpdeveloper.net/content/ Sameer

    How about adding a simple authentication on top of the wp-admin folder instead of rewriting the url? That would also secure your site a bit more without breaking anything. I am talking about what is known as htpasswd authentication for Apache

  • http://coryduncan.com Cory Duncan

    This sounds like a great solution, but I followed this article exactly and couldn’t get the new admin to show up (404 page not found).

  • Pingback:   Protect Important Folders in your Blog by Blog Tutorials

  • Pingback: Hiding Wordpress admin directory | Bindanaku

  • http://blog.bindanaku.com Bindanaku

    Thanks for the great how-to!

  • Pingback: Country Keepers by Gary Petersen » Blog Archive » Hiding Your WordPress Admin Folder

  • Pingback: Devlounge | Wordpress Security Alert