Can I rename the wp-admin folder?

3 Views

Is it possible to rename the wp-admin folder?

I know I could just rename it, but unless it’s supported by the code lots of things would break.

Read More

If I use a custom folder name, it will make it slightly more secure, security by obscurity and all that.

Post Views: 3

Related posts

Leave a Reply

12 comments

  1. Unfortunately it’s not currently possible nor does there appear to be will to consider it as a modification as you can see by this recent thread on the wp-hackers list and this ticket on trac.

    If you’d really like to see this be revisited I’d suggest:

    1. Present your case on wp-hackers but be forewarned your use-case better be good and not “security through obscurity” or it will get shot down as above.

    2. Present your argument in a trac ticket with the same caveats.

    3. Even better, upload a patch to trac that enables your desired functionality. It’s much harder to say no when the work has already been done (but of course, they do have a preference for saying “no” a lot more often than they say “yes” so be forewarned.)

  2. People keep asking this question, but people keep marking it as a duplicate. The chosen answer for this however, really isn’t an answer to the question.

    To rename the wordpress admin you need to take two steps.

    In the following code I’m using dashboard as the name of my new wp-admin. Change dashboard in the code below to whatever you want to name your new admin.

    First you need to tell wordpress you want to change the admin url.

    On line 2558 wp-includes/link-template.php is the code that dertermines the admin url.

    Using the admin_url filter you can successfully change the url of the admin with the following function:

    function my_custom_admin_url($path) { 
    return str_replace('wp-admin', 'dashboard', $path); 
}
add_filter('admin_url', 'my_custom_admin_url');

    You can test to see what your new url is by doing this:

    function whats_my_admin_url() {
    $url = admin_url();
    echo '<pre><code>'; print_r( $url ); echo '</code></pre>';
    }
add_action( 'admin_notices', 'whats_my_admin_url' );

    However, if you’ll notice when clicking through the admin that not everything works and some of the links may give you 404 not found or something similar.

    Second, change the .htaccess in your wordpress root directory and add the following in the begining before anything else.

    #CUSTOM ADMIN URL REWRITE
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^dashboard[^/]*$ dashboard/ [R=301,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^dashboard(.*)$ wp-admin$1? [QSA,L,NE]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/?$ / [NE,R=404,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/(.*)$ dashboard/$1 [QSA,R=301,L,NE]
</IfModule>
#CUSTOM ADMIN URL REWRITE

    Now, I’m not an expert when it comes to editing .htaccess so some of this might not be necessary. However, I’ve never found it not to work.

    Here’s the whole thing. Create a file and drop in your plugins folder or mu-plugins folder. (remember to change every instance of dashboard to your preferred admin url)

    <?php
/**
 * Plugin Name: Change My Admin URL
 * Plugin URI: http://wordpress.stackexchange.com/questions/106/can-i-rename-the-wp-admin-folder
 * Description: Changes the admin url where wp-admin becomes dashboard (or whatever you change it to)
 * Version: 1.0
 * Author: Bryan Willis
 * Author URI: http://profiles.wordpress.org/codecandid
 * License: GPL2
 */

/* 

#CUSTOM ADMIN URL REWRITE FOR HTACCESS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^dashboard[^/]*$ dashboard/ [R=301,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^dashboard(.*)$ wp-admin$1? [QSA,L,NE]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/?$ / [NE,R=404,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/(.*)$ dashboard/$1 [QSA,R=301,L,NE]
</IfModule>
#CUSTOM ADMIN URL REWRITE

*/

function my_custom_admin_url($path) { 
    return str_replace('wp-admin', 'dashboard', $path); 
}
add_filter('admin_url', 'my_custom_admin_url');

    Issues?

    I haven’t had any in over a year using this method. You might notice that wp-admin will still work which kind of sucks, but it’s more of a precaution than anything. I had some poorly written plugins that hardcoded wp-admin in some places that wouldn’t load when trying to block or redirect wp-admin. I’m sure there is a way to do this with the htaccess, but I haven’t successfully figured it out. Also, this hasn’t been tested on multisite or anything like that ever.

    Update: Alternative Approach

    This is pretty similar, but for some reason my above answer didn’t work on every host I tried.

    Add to .htaccess

    RewriteRule ^admin/(.*) wp-admin/$1?%{QUERY_STRING} [L]

    Create a file in mu-plugins folder called new-admin.php and add this there:

    <?php
define('WP_ADMIN_DIR', 'admin');
defined('SITECOOKIEPATH') || define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('siteurl') . '/' ) );
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);

add_filter('site_url',  'wpadmin_filter', 10, 3);
 function wpadmin_filter( $url, $path, $orig_scheme ) {
  $old  = array( "/(wp-admin)/");
  $admin_dir = WP_ADMIN_DIR;
  $new  = array($admin_dir);
  return preg_replace( $old, $new, $url, 1);
}

    Note: This approach seemed to work better on some hosts, but still had the issue of not redirecting wp-admin links to the new admin url. Here’s an approach I tried below. While this below doesn’t work I think it’s on the right track. I’m not totally sure what hook to use. htaccess might be a better alternative but I kept getting redirect loops when I tried that way.

    add_action('init', 'redirect_wp_admin_url_to_404');
function redirect_wp_admin_url_to_404(){
  $redirect_to = $_SERVER['REQUEST_URI'];
  if(count($_REQUEST)> 0 && array_key_exists('redirect_to', $_REQUEST)){
    $redirect_to = $_REQUEST['redirect_to'];
    $check_wp_admin = stristr($redirect_to, 'wp-admin');
    if($check_wp_admin){
      wp_safe_redirect( '404.php' );
    }
  }
}

  3. No, you cannot rename the folder. The path is hard-coded in multiple locations throughout WordPress’ source.

    Security through obscurity isn’t really security anyway.

  4. An approach that is officially supported by WordPress is to move the WordPress installation files into a sub-directory, while keeping the site in the root, like so:

    Site URL: http://my-blog.com

    Admin URL: http://my-blog.com/7nxnkkugrdzm/wp-admin

    While this does not give you complete freedom in changing your admin url, it means you can prefix it with anything you like. This is just as good from a security point of view. It also has the benefit of moving all the WordPress installation files into a location unknown to users, so it should be part of any wordpress hardening strategy.

    From the WordPress Codex: Giving WordPress Its Own Directory

    Also, note that while this security scheme is called Obscure URL, it is not the same thing as security by obscurity. Obscure URL is a perfectly valid security scheme that is just as good as a password, while security by obscurity relies on using secret unproven procedures.

    The same caveats apply though as with passwords: Call the custom folder something like 7nxnkkugrdzm, not happy-snappy-admin. Also, make sure your users are aware the admin url is a secret.

  5. There is actually a very good tutorial on this here:

    It explains how to change the folder name, the wp-admin login url, and make sure that login.php redirects to the main site so that people can go there directly.

  6. If you want to keep subscriber-level users from seeing the wp-admin directory, you can create standalone versions of the login/registration and profile/edit pages in their own directories. Then, you can protect your admin folder via htaccess or IP restriction. (Though if you do this, you should make an exception for the admin-ajax file, as some plugins use it to add, um, AJAX functionality).

    This approach gives you the “obscurity” you want (which doesn’t really do much, but often makes clients and managers feel better), and also adds some real security by limiting access to the admin. Plus, honestly, a URL that just says “/login” looks a lot nicer than “wp-login.php”.

    It should go without saying that this doesn’t make your site bulletproof. But it’s a nice, basic enhancement.

  7. One way to lock down the administrative control panel is to utilize .htaccess rules. Just add an .htaccess file to the root of the wp-admin directory. After you add this file, just add the following rule to deny all IP addresses and allow only your IP:

    http://wp.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation/

    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
whitelist address
allow from <IP ADDRESS HERE>
</LIMIT>

  8. If you want to rename the wp-admin with the aim of adding additional layer of security to your WordPress installation, you can also try the Roots / Bedrock WordPress Boilerplate. It can help isolate the web root to limit access to non-web files. It can also help in organizing/securing the whole WordPress core by putting it in its own subdirectory like renaming wp-content/ to app/ as well as these additional features:

    • Dependency management with Composer
    • Easy WordPress configuration with environment specific files
    • Environment variables with Dotenv
    • Autoloader for mu-plugins (use regular plugins as mu-plugins)
    • Enhanced security (separated web root and secure passwords with wp-password-bcrypt)

    You can also check their GitHub Repo for a more detailed usage:

  10. No it’s not possible to rename the wp-admin folder with any short of code or htaccess hack,

    In the past i done the same for a client by performing a complete folder search via Coda (the editor i use) for the tag “wp-admin, wp-content…etc” and i remove the “wp-” from the files.

    After that you will be able to install it but:
    You have to do the same with the plugins you want to install,
    You have to update the core manually by clearing the “wp-” tag from the new versions.

    In all the ways i don’t suggest you to do something like this,
    leave it as is and try to implement a User Login/Register/Profile page to give your users/clients a better experience.

    Cristian from Cozmolabs have
    write a very good tutorial. You can
    edit the code a bit and make it run in
    any WordPress theme.

    You can also add a Post form from the frontend so the Admin and Users with the Capabilities to write a post can do it from the frontend.

    Here you can see an example and code
    on how to create a Frontend Post page.
    Front-End Post Submission

    Also you can take a look for some nice plugins here that do the same with more functionality.

  11. WHAT ABOUT WORKING WP-ADMIN FROM AN IFRAME?

    Make a new page in wp dashboard called “Admin”. e.g: yourdomain/admin/

    You can make a case statement with the header.php page.php and/or footer.php to disable things on the template not needed, using: 

    <?php
if(!is_page('admin')): //if not the admin page.

//wrap code not needed or wanted.

else: ?>

<style type="text/css">
    .responsive-iframe {
    position: relative;
    padding-bottom: 56.25%; /*16:9*/
    height: 0;
    overflow: hidden;

    iframe {
        position: absolute;
        top:0;
        left: 0;
        width: 100%; //or 100vw
        height: 100%; //or 100vh
    }
}   
</style>

<div class="responsive-iframe">
<iframe seamless="seamless" scrolling="yes" src="http://yourdomain/wp-admin/" frameborder="0" allowfullscreen></iframe>
</div>

<?php 
endif;

    This is not pretty, but atleast to some extent you can hide wp-admin from url.
    Another way is to possibly use domain-forwarding with mask url enabled.

  12. I myself delete the wp-login.php file, and upload it per ftp before i want to log in, and delete it again afterwards till next time But i would otherwise say

    1. Wordfence Plugin will help a lot to block human hacker attempts. Use a very long and complex username for the admin account (hackers and bots don’t assume humans to use long usernames, only passwords), one that even you cannot remember, and login using the email address you used instead, is also a corker.
    2. Delete the content of comments.php file, and never allow comments on your website, nor signups, is best, restricting access only to admins and perhaps if you need your authors and editors. Deleting the comments.php content prevents a of injected malware and hacks from occurring.
    3. put a space between two words as your login name, as most hackers don’t realize you can do a username with an empty space, and often use underscores even when they guess your username (human hackers using social engineering). Long passwords that are complex have been proved to not be stronger than an 8 character/integer password so that is for you to study.
    4. Last but not least, one has to not only protect login.php, (by the way never use the username “[login]”), but also the xml rpc file which is the other file hackers like to use to try to log in with. Usually this kind of attack is a low level lowlife with little knowledge of real hacking using AI to do the work, and is merely trying his or her luck. But better safe than sorry. Also, WP all in one Migration Plugin allows you to download the whole site with database and configuration and upload it again in case of being hacked and site deletion. a daily backup before bedtime would ensure that your site will always be as it was before you went to bed. backup offline to hard drive (external), and you will always be safe.
      Oh, and keep plugins to a minimum as they are often left to rot by the devs and not updated, and if your blogging has used the plugin (for example youtube playlist plugins) tp post with, deleting an out dated plugin will make many posts become senseless with missing content (always think ahead). But do use the necessary plugins such as akismet, wordfence free, and wp all in one migration tool to backup website files, content and database. Many plugins also have vulnerabilities and a quick sniff of your server will show all folders to the hacker, and he will know you have the plugin, and attack through that. Do not use Discus or other third party comment forms either, as there is more data being scraped and compromised through fourth party inception (youtube currently hacked using location tagging in apps), than it is helpful. Better to have a Facebook page and let people comment there, but, not to insert widgets, or code linking from or to other domains, and their APIs too much, as the data being communicated and shared is intercepted easily by pro hackers. I have no comments or share buttons on my wordpress sites because of this. (i still do well and live well without need for comments with my type of websites). For example if this question was in form of a youtube video, everyone would have left wordpress at stackexchange (not that i suggest that as stack exchange is fantastic!) and comment on their youtube channel insytead. Safer, securer. So make a YT Channel and FB Page and use those for letting people ‘sign up and comment’ and keep the wordpress site as barebones as possible with no login options