DiggingIntoWordPress

by Chris Coyier & Jeff Starr

Move Your WordPress Files Out of the Root Directory

Posted by on

I usually recommend that people install WordPress at the root directory of their sites. Even if you intend to mostly use WordPress for a blog, and run it at /blog/, you can still do that with WordPress at the root through some simple settings. But just because WordPress is installed and controlling your site from the root, doesn’t mean that the WordPress core files need to be located at the root.

You may want WordPress installed in a subdirectory just to keep that root directory of your site clean. There are a lot of files that power WordPress and keeping them all at the root can be an eyesore:

You Can Install WordPress in a Subdirectory and Still Control the Root

Yep that’s right. You’ve probably seen the preference for it a million times and never really thought twice about it (if you are like me). It’s under Settings > General:

That first setting, WordPress URL, give you the opportunity to set where the actual WordPress files are, and use the second setting to point where you want the root of your site to be. This means you could create a new subdirectory (say, “wordpress”), put all your WordPress core files in there, and still control the root. The codex has a nice step by step on this, but I’ll cover it quickly here as well.

  1. Move (or intially put) ALL of the WordPress core files into a subdirectory. (e.g. “/wordpress/”
  2. Change the General settings (see pic above) to the proper new locations.
  3. Copy the index.php and .htaccess file back to the root
  4. Open the index.php file and change the line: require('./wp-blog-header.php'); to require('./wordpress/wp-blog-header.php'); . If you use a different subdirectory, obviously “wordpress” would be whatever you named that subdirectory.
  5. Log into the backend. Note that you probably used to log in at /wp-admin/ but it will be /wordpress/wp-admin/ now.
  6. Go to Setting > Permalinks and save that section, rewriting and updating your .htaccess file
  7. Make sure all is well on the Front End.

Security

Since I would think very few sites do this, you are getting the bonus of security by obscurity. Bots scrounging around your site probably will never find the WordPress core files since they are in a subdirectory that isn’t referenced publicly anywhere.

19 Responses

  1. I must disagree with the your last sentence – the location of WP is still in paths to styles, scripts, etc. But you probably meant it isn’t that publicly… obvious. :-)

    • Yeah that’s true… Unless you were kinda nuts hard-coded script and style locations to elsewhere.

      • Hassan July 16, 2009

        So, is it possible to move themes from wp-content to root directory? Then the address would be root.com/themes/theme-name/files?

    • That’s right. When you upload images through the WordPress image uploader, for example – that will show the true install path unless you’ve moved where all these things are (you can move that path).

      In fact, moving that path to where your images upload to on to a subdomain would probably give you a little better performance since browsers only download so much at once from one domain (I believe it’s 2 things at a time). If your images are on a separate subdomain, it’ll download things in parallel (e.g. download 4 things at a time).

      @Hassan – Not exactly. Wherever your index.php file is would be your blog’s address. If you wanted your theme’s name to be in the URL of your site, then you’d have to create those subdirectories and move the index and .htaccess file there (and configure everything else along with it).

  2. Emoticon July 14, 2009

    Hi,

    Nice feature, I agree, but for different reasons. Try doing a simple View Source of the page, and we can see the directories used for so many things in the page that is being displayed.

    Guess this is not so secure after all. However, other benefits still remain there! :-)

    • Also not to be forgotten is the fact that HUMANS could easily find this subdirectory, but BOTS probing your site may not be so smart.

    • Although the upgrade in security through obscurity might be small, there is some small enhancement to security here.

      There are lots of hackers who don’t bother to take the time to look at someone’s code, they just look for easy targets. The come to a site and try 5 or 6 quick sql injection strings they know work for some WordPress versions and/or plugins.

      So they’ll take a guess, but if files and folders are in different locations, their guess will be wrong.

      I’ve seen this in my access logs. People try sql injection to exploit security holes in some WP plugins. They don’t even bother to know if I have that plugin or not, they just pound out a few strings and if it works, great, if not, they move on to another easier target.

      Now if someone really wanted to get into your site and took the time to look at your code, then this wouldn’t provide much security.

  3. You could ofcourse also use htaccess to change the root webpage, but that is another tutorial ;)

  4. WordPress provides even more flexibility by enabling users to customize what is displayed for the Home Page. Under “Settings > Reading”, there is an option that says “Front page displays… A static page” where any Page may be set for the Home Page.

  5. Good to see you dive into the WordPress thing Jeff! I’m still looking for a WP only site delivering nettuts quality WP articles only. :)

    This is an interesting approach, as I also sometimes feel my root is messed up with all the files.

    The same would probably be true for MU. Any other things one should have in mind there?

  6. Stephanie July 14, 2009

    I think the screenshot of the general settings is throwing me off since they show the same address. If diggingintowordpress.com put it’s wordpress files in a folder called “wordpress”, for example, then the “wordpress address” would be “diggingintowordpress.com/wordpress” and the “blog address” would be “diggingintowordpress.com”. Am I understanding this correctly??

  7. Anthony Linton July 14, 2009

    Could this create problems with plugins / themes that may be badly made and using the blog address found with a WordPress function which wouldn’t include the subdirectory?

    • Possible… but you shouldn’t be using badly made plugins anyway =)

    • If you use absolute paths in your markup/CSS/scripts, then it could break.

      Then again, it is much easier to work with relative paths when you first get used to it.

  8. Funny, I thought this was how it was supposed to be done. I’ve been doing it this way since I started installing WP on numerous sites back in the ‘early’ days. :)

  9. Do you think you could update your directions to take into account the other tips you’ve shared?

    For example, I’ve used your previous tutorials to modify my wp_config.php file, so the two URLs in the General Settings tab are grayed out.

    What else would need to be done to successfully move the files over?

  10. I am doing a new install.
    Would this method still allow for a WP static front page?
    And the ‘blog’ part set up to be a WP page called news’ .(set up in dashboard)
    And would it carry the www in front of the domain name? (need this)
    Would internal linking need to be done to include the /wp/ folder? (there for still be visable?) And full links not relative?

    thanks..

    • Look at it like this, bobbi, by following this tutorial and moving all your core WordPress files out of the root directory and into a subdirectory (say “wordpress”) wouldn’t change how your blog works if everything was in the root directory.

      So static front pages would still work, etc.

      As for the www thing, you would need to use .htaccess to rewrite the url with or without www in the front.

      Here’s a tutorial.1 I’m sure Jeff has the code on Perishable Press somewhere as well.

      1Note: 404 link removed 2013/06/14 – http://www.trevorfitzgerald.com/2007/03/force-www-using-an-htaccess-301-redirect/

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry