Can I rename the wp-admin folder?
https://wordpress.stackexchange.com/questions/106
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is it possible to rename the wp-admin folder?
I know I could just rename it, but unless it's supported by the code lots of things would break.
If I use a custom folder name, it will make it slightly more secure, security by obscurity and all that.
Solution
Unfortunately it's not currently possible nor does there appear to be will to consider it as a modification as you can see by this recent thread on the wp-hackers list and this ticket on trac.
If you'd really like to see this be revisited I'd suggest:
Present your case on wp-hackers but be forewarned your use-case better be good and not "security through obscurity" or it will get shot down as above.
Present your argument in a trac ticket with the same caveats.
Even better, upload a patch to trac that enables your desired functionality. It's much harder to say no when the work has already been done (but of course, they do have a preference for saying "no" a lot more often than they say "yes" so be forewarned.)
OTHER TIPS
No, you cannot rename the folder. The path is hard-coded in multiple locations throughout WordPress' source.
Security through obscurity isn't really security anyway.
People keep asking this question, but people keep marking it as a duplicate. The chosen answer for this however, really isn't an answer to the question.
To rename the wordpress admin you need to take two steps.
In the following code I'm using dashboard as the name of my new wp-admin. Change dashboard in the code below to whatever you want to name your new admin.
First you need to tell wordpress you want to change the admin url.
On line 2558 wp-includes/link-template.php is the code that dertermines the admin url.
Using the admin_url filter you can successfully change the url of the admin with the following function:
function my_custom_admin_url($path) {
return str_replace('wp-admin', 'dashboard', $path);
}
add_filter('admin_url', 'my_custom_admin_url');
You can test to see what your new url is by doing this:
function whats_my_admin_url() {
$url = admin_url();
echo '<pre><code>'; print_r( $url ); echo '</code></pre>';
}
add_action( 'admin_notices', 'whats_my_admin_url' );
However, if you'll notice when clicking through the admin that not everything works and some of the links may give you 404 not found or something similar.
Second, change the .htaccess in your wordpress root directory and add the following in the begining before anything else.
#CUSTOM ADMIN URL REWRITE
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^dashboard[^/]*$ dashboard/ [R=301,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^dashboard(.*)$ wp-admin$1? [QSA,L,NE]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/?$ / [NE,R=404,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/(.*)$ dashboard/$1 [QSA,R=301,L,NE]
</IfModule>
#CUSTOM ADMIN URL REWRITE
Now, I'm not an expert when it comes to editing .htaccess so some of this might not be necessary. However, I've never found it not to work.
Here's the whole thing. Create a file and drop in your plugins folder or mu-plugins folder. (remember to change every instance of dashboard to your preferred admin url)
<?php
/**
* Plugin Name: Change My Admin URL
* Plugin URI: http://wordpress.stackexchange.com/questions/106/can-i-rename-the-wp-admin-folder
* Description: Changes the admin url where wp-admin becomes dashboard (or whatever you change it to)
* Version: 1.0
* Author: Bryan Willis
* Author URI: http://profiles.wordpress.org/codecandid
* License: GPL2
*/
/*
#CUSTOM ADMIN URL REWRITE FOR HTACCESS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^dashboard[^/]*$ dashboard/ [R=301,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^dashboard(.*)$ wp-admin$1? [QSA,L,NE]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/?$ / [NE,R=404,L]
RewriteCond %{QUERY_STRING} (.*)$
RewriteRule ^wp-admin/(.*)$ dashboard/$1 [QSA,R=301,L,NE]
</IfModule>
#CUSTOM ADMIN URL REWRITE
*/
function my_custom_admin_url($path) {
return str_replace('wp-admin', 'dashboard', $path);
}
add_filter('admin_url', 'my_custom_admin_url');
Issues?
I haven't had any in over a year using this method. You might notice that wp-admin will still work which kind of sucks, but it's more of a precaution than anything. I had some poorly written plugins that hardcoded wp-admin in some places that wouldn't load when trying to block or redirect wp-admin. I'm sure there is a way to do this with the htaccess, but I haven't successfully figured it out. Also, this hasn't been tested on multisite or anything like that ever.
Update: Alternative Approach
This is pretty similar, but for some reason my above answer didn't work on every host I tried.
Add to .htaccess
RewriteRule ^admin/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Create a file in mu-plugins folder called new-admin.php and add this there:
<?php
define('WP_ADMIN_DIR', 'admin');
defined('SITECOOKIEPATH') || define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('siteurl') . '/' ) );
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
add_filter('site_url', 'wpadmin_filter', 10, 3);
function wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}
Note: This approach seemed to work better on some hosts, but still had the issue of not redirecting wp-admin links to the new admin url. Here's an approach I tried below. While this below doesn't work I think it's on the right track. I'm not totally sure what hook to use. htaccess might be a better alternative but I kept getting redirect loops when I tried that way.
add_action('init', 'redirect_wp_admin_url_to_404');
function redirect_wp_admin_url_to_404(){
$redirect_to = $_SERVER['REQUEST_URI'];
if(count($_REQUEST)> 0 && array_key_exists('redirect_to', $_REQUEST)){
$redirect_to = $_REQUEST['redirect_to'];
$check_wp_admin = stristr($redirect_to, 'wp-admin');
if($check_wp_admin){
wp_safe_redirect( '404.php' );
}
}
}
An approach that is officially supported by WordPress is to move the WordPress installation files into a sub-directory, while keeping the site in the root, like so:
Site URL: http://my-blog.com
Admin URL: http://my-blog.com/7nxnkkugrdzm/wp-admin
While this does not give you complete freedom in changing your admin url, it means you can prefix it with anything you like. This is just as good from a security point of view. It also has the benefit of moving all the WordPress installation files into a location unknown to users, so it should be part of any wordpress hardening strategy.
From the WordPress Codex: Giving WordPress Its Own Directory
Also, note that while this security scheme is called Obscure URL, it is not the same thing as security by obscurity. Obscure URL is a perfectly valid security scheme that is just as good as a password, while security by obscurity relies on using secret unproven procedures.
The same caveats apply though as with passwords: Call the custom folder something like 7nxnkkugrdzm, not happy-snappy-admin. Also, make sure your users are aware the admin url is a secret.
There is actually a very good tutorial on this here:
How to Hide WordPress Info from Your Source Code mirror
Includes how to rename wp-content, rename wp-admin, and remove the generator tag from WordPress.
This tutorial will change obvious evidence or indications of it in your source-code, effectively removing WordPress info from your site.
It explains how to change the folder name, the wp-admin login url, and make sure that login.php redirects to the main site so that people can go there directly.
If you want to keep subscriber-level users from seeing the wp-admin directory, you can create standalone versions of the login/registration and profile/edit pages in their own directories. Then, you can protect your admin folder via htaccess or IP restriction. (Though if you do this, you should make an exception for the admin-ajax file, as some plugins use it to add, um, AJAX functionality).
This approach gives you the "obscurity" you want (which doesn't really do much, but often makes clients and managers feel better), and also adds some real security by limiting access to the admin. Plus, honestly, a URL that just says "/login" looks a lot nicer than "wp-login.php".
It should go without saying that this doesn't make your site bulletproof. But it's a nice, basic enhancement.
One way to lock down the administrative control panel is to utilize .htaccess rules. Just add an .htaccess file to the root of the wp-admin directory. After you add this file, just add the following rule to deny all IP addresses and allow only your IP:
http://wp.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation/
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
whitelist address
allow from <IP ADDRESS HERE>
</LIMIT>
If you want to rename the wp-admin with the aim of adding additional layer of security to your WordPress installation, you can also try the Roots / Bedrock WordPress Boilerplate. It can help isolate the web root to limit access to non-web files. It can also help in organizing/securing the whole WordPress core by putting it in its own subdirectory like renaming wp-content/ to app/ as well as these additional features:
- Dependency management with Composer
- Easy WordPress configuration with environment specific files
- Environment variables with Dotenv
- Autoloader for mu-plugins (use regular plugins as mu-plugins)
- Enhanced security (separated web root and secure passwords with wp-password-bcrypt)
You can also check their GitHub Repo for a more detailed usage:
Take a look at http://wordpress.org/extend/plugins/stealth-login/ this may help you out.
No it's not possible to rename the wp-admin folder with any short of code or htaccess hack,
In the past i done the same for a client by performing a complete folder search via Coda (the editor i use) for the tag "wp-admin, wp-content...etc" and i remove the "wp-" from the files.
After that you will be able to install it but:
You have to do the same with the plugins you want to install,
You have to update the core manually by clearing the "wp-" tag from the new versions.
In all the ways i don't suggest you to do something like this, leave it as is and try to implement a User Login/Register/Profile page to give your users/clients a better experience.
Cristian from Cozmolabs have write a very good tutorial. You can edit the code a bit and make it run in any WordPress theme.
You can also add a Post form from the frontend so the Admin and Users with the Capabilities to write a post can do it from the frontend.
Here you can see an example and code on how to create a Frontend Post page. Front-End Post Submission
Also you can take a look for some nice plugins here that do the same with more functionality.
WHAT ABOUT WORKING WP-ADMIN FROM AN IFRAME?
Make a new page in wp dashboard called "Admin". e.g: yourdomain/admin/
You can make a case statement with the header.php page.php and/or footer.php to disable things on the template not needed, using:
<?php
if(!is_page('admin')): //if not the admin page.
//wrap code not needed or wanted.
else: ?>
<style type="text/css">
.responsive-iframe {
position: relative;
padding-bottom: 56.25%; /*16:9*/
height: 0;
overflow: hidden;
iframe {
position: absolute;
top:0;
left: 0;
width: 100%; //or 100vw
height: 100%; //or 100vh
}
}
</style>
<div class="responsive-iframe">
<iframe seamless="seamless" scrolling="yes" src="http://yourdomain/wp-admin/" frameborder="0" allowfullscreen></iframe>
</div>
<?php
endif;
This is not pretty, but atleast to some extent you can hide wp-admin from url. Another way is to possibly use domain-forwarding with mask url enabled.
