WordPress support from our community
Confusion about WP files on root level vs subdirectory
October 15, 2012 at 3:34 am #1545
I’m updating a website to have it based on WordPress, so I installed it in a subdirectory (instead of the root level) for security reasons on the server hosted by ASO (A Small Orange). I also recently signed up for ASO after switching from GoDaddy that caused many websites go down last month caused by some hacker, so I don’t trust GoDaddy anymore.
Someone suggested that ASO is very reliable, but people at ASO have been confusing me with different advices by different people – one saying I should move all files to the root level, second saying I can keep in the subdirectory, and third saying I can use redirect in ASO, and yet another saying that ASO “cannot” support the redirect feature.
One of their suggestions was:
But another suggestion was that it won’t work. I’m confused.
ThanksOctober 15, 2012 at 5:59 am #2685
Putting WP in a subdirectory provides very limited security. Any hacker with half a brain will locate the subdirectory in about 15 seconds.
Easier and far more effective security-wise to simply install WP in the root and then properly secure the site.October 15, 2012 at 3:58 pm #2686
D.K. Smith – thanks for the response.
I’m still confused because I’ve read in some articles that it’s better to keep WP files in a subdirectory and make a redirect to root level.
I also saw the answers in another thread in this group: http://wpnyc.org/groups/troubleshooting/forum/topic/better-wp-security/
Jonathan Goodman gave a response to that question, and one of the excerpts is:
“3) Install WordPress in a sub-directory. Hackers look for easy targets so they are always trying to hit the root-directory. If you setup a fake WordPress install on the root but use the real WordPress in a sub-folder they will eventually tire and move on to an easier site.”
Another reason I want to keep WP files in a subdirectory is to keep the root level clean.October 16, 2012 at 5:18 am #2687
Automated bots trolling for newly discovered vulnerabilities “may” miss WP in a subdirectory, but live hackers will easily find it.
Installing WP in a subdirectory is like tying your car to a fire hydrant with a rope and complex knots. Your car is more secure but the only person it slows down is you… as you un-tie all the knots to run an errand. The car thieves will simply use a knife… and you could too in order to save time.
WP in a subdirectory is not bad thing however, it can sometimes cause problems with a plugin (usually the plugin’s fault) even when everything is correctly implemented. So keep an eye out for conflicts if you install a lesser-known or newly released plugin. For security purposes, WP in a sub is not much better than using a rope to secure a car.
Be sure to purchase my book when it launches, http://www.wpsecurityhandbook.com. My team and I have secured almost 1500 sites and none have been re-hacked… not a single one! We secure large, small, and complex enterprise WP installations. I’m up this late because we’re working on a badly hacked 41-blog multisite network that must be secured and live by 6:00am EST.October 16, 2012 at 3:40 pm #2688SteveKeymaster
Hey D.K.– I really don’t see any downside to installing WP in a sub-directory. If a plugin still uses absolute paths and breaks, then the user needs to find another plugin, since there are probably other code issues. 😉
Installing in a sub-directory takes 5 minutes, and if it “may” stop an auto bot, then that sounds good to me. Also, keeps the root clean… which Sveta mentioned is a goal.
May I propose another analogy:
Installing WP in a sub-directory is like moving the ignition for your car to the glove compartment. A robot thief may not find it, but a live thief probably would. However, there really is no difference for the car owner. They simple open the glove compartment, turn the key and go.October 16, 2012 at 9:50 pm #2689
Hi Steve… I agree. We place WP in subdirectories all the time and poorly coded plugins are just about the only issue that arises. I like your analogy however, it may best apply when a site owner is savvy enough to figure out that some out-of-blue problem could be a poorly coded plugin. We’ve seen many instances where things go fine with a bad plugin and WP in a subdirectory… until later on, when some well-coded plugin is installed and the combo causes a conflict.
@Sveta… it’s definitely okay to install WP in a subdirectory however; do not get a false sense of safety from doing so… the added security benefit is neglible. Remember to keep an eye peeled for conflicts if you install a lesser-known or newly released plugin, and be sure to implement proper security measures.
@Steve… as Tina said to Arnold, “Ain’t we a pair?” You’re the framework guy….exploring new territory and always open to the possibilities. I’m the security guy… balancing convenience versus risk, and after seeing so much hacker carnage… wanting everyone to max their security.
Just don’t call me Raggedy-man and I won’t call you Aunty, 🙂October 17, 2012 at 5:09 pm #2690
Thanks, D.K. and Steve, for messages. I decided to keep WP in subfolder to keep root level clean.
But when talking to ASO about redirects, and they suggested me this:
After that they said: “Additionally, we provide no guarantee with this configuration override as it does not standardize to normal cPanel configuration so we will not be able to provide support for it if it breaks.”.
I’m confused – if they have suggestions for redirect, then why they say they cannot promise and cannot provide support if it breaks?October 17, 2012 at 5:12 pm #2691
Thanks for mentioning about the book, D.K. – how will I know when it’s published?October 17, 2012 at 5:36 pm #2692
We don’t use cpanel for this and I’m not familiar with ASO’s hosting.
Read this page from the WP Codex on installing WP in a subdirectory. The third section covers pointing your URL to the subdirectory.
There will be posts about the book across the web and I’ll make sure you’re notified directly.October 24, 2012 at 2:27 am #2693
I did the redirect as explained in the codex, and it seems to work so far.November 12, 2012 at 2:12 pm #2694
Hi Sveta, you wrote “…works so far
Was the codex redirect the correct solution for your site?
- You must be logged in to reply to this topic.