Title: Feature request: secure WordPress
Last modified: August 20, 2016

---

# Feature request: secure WordPress

 *  [Pablo](https://wordpress.org/support/users/pibo/)
 * (@pibo)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/)
 * Hello,
 * My request is so simple: It would be useful you seriously consider a security
   improvement in your next WordPress updates (like hide/rename wp-admin, wp-includes,
   wp-content, etc.), to make sites less hackable without installing plugins as 
   you can see in most cases they don´t work or even break whole WP installations(
   make a search in Google and you´ll find hundreds).
 * Regards.

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815150)
 * It’s been covered before. Security via obscurity just doesn’t work and that proposal
   would almost certainly be impossible to support.
 * Hiding directories does not make anything more secure. It’s like closing _your_
   eyes and saying that that will prevent The Bad People™ from seeing you.
 * Such self-inflicted damage is to be avoided. 😉
 * But give this a read on why you shouldn’t as well as the links MickeyRoush provided.
 * [http://wordpress.org/support/topic/hideprotectrename-wp-installation-folders?replies=8](http://wordpress.org/support/topic/hideprotectrename-wp-installation-folders?replies=8)
 *  Thread Starter [Pablo](https://wordpress.org/support/users/pibo/)
 * (@pibo)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815159)
 * Hello Jan,
 * I know there´s not infallible solutions concerning Internet security, but WP 
   is now really easy to hack for any novice, just with all the critical structure
   in a known way in the /public folder of the server.
 * I.E. [Moodle](http://moodle.org) ask you to install the content folder outside
   the public directory.
 * I.E. [Magento](http://www.magentocommerce.com) allows you to install its critical
   data inside the folder you choose.
 * WordPress could be more secure if they learn implement by default methods that
   others are applying to increase security. It doesn´t remove the risks but obviously
   reduces them in a high percentage obviously.
 * Regards.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815160)
 * If you are interested in tightening security, see [Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
   and [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 * As Jan said, this topic has been discussed to death many times.
 *  Thread Starter [Pablo](https://wordpress.org/support/users/pibo/)
 * (@pibo)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815166)
 * Hello esmi,
 * I know there are a lot of threads, rules, plugins, etc. about this topic that
   anyone could apply with some acknowledge of coding and Apache settings (which
   not all WP users know).
 * What I want to say is I think it would be better that WP increases its security
   by default. But if you think that it isn´t a must… it was just an advice 😉
 * Regards.
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815171)
 * Please be patient with me for a moment. Security is a thing for me. 😉
 * > but WP is now really easy to hack for any novice
 * No, it categorically and 100% is not. I’m sorry, but that’s just not the case.
 * How do I know? Because as the timthumb exploit demonstrated, when an easy attack
   vector is available then the bad guys jump all over it. That’s not happening 
   with WordPress installation en masse, we’d all know about it here if it were.
 * However, as the timthumb exploit illustrated there are a lot of themes, plugins,
   and poor hosts and some of those are the vector for compromising a lot of WordPress
   installations.
 * That’s not a problem WordPress itself can solve.
 * It’s like me designing and building the most secure home and the owner leaves
   the garage door wide open and all the doors unlocked. You could blame the designer
   _or_ you could just keep your home secure.
 * There have been times in the past that earlier versions of WordPress have had
   an exploit, but those get dealt with quickly provided that the exploit is responsibly
   disclosed. It’s part and parcel why keeping your software up to date is important.
 * There are things that the user can do and they’re concisely summarized in these
   links.
 * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
   
   [http://www.studiopress.com/tips/wordpress-site-security.htm](http://www.studiopress.com/tips/wordpress-site-security.htm)
 * I’m more fond of the second link myself.
 * > WordPress could be more secure if they learn implement by default methods that
   > others are applying to increase security.
 * Not the case. My new phrase of the week is now going to be this one.
 * >  Security via obscurity doesn’t work. It’s like closing your eyes and saying
   > that that will prevent The Bad People™ from seeing you.
 * Any _security weakness_ does not come from a directory name. It comes from within
   the code itself. The people who make these exploits aren’t that unsophisticated
   and they will find those exploits regardless of how you name a directory.
 * Try this: visit any WordPress install and view the source.
 * You will see references to `wp-content/themes` and probably `wp-content/plugins`
   in the source code. Those files are required to get the look and functionality
   that that WordPress installation requires.
 * If you believe that renaming those directory makes it more secure, then please
   re-read my new phrase of the week above.
 *  Thread Starter [Pablo](https://wordpress.org/support/users/pibo/)
 * (@pibo)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815192)
 * Hello Jan,
 * Thank you for your explanation. I am not an expert in security, and once again,
   if you consider that WordPress have done its best and it doesn´t need improvements,
   all said.
 * But please note that, as an user -and I speak for all people that is asking the
   same question-, is unbelievable that all the answers are to evade the issue, 
   and what must increase the security are the reckless rest of the world: the users,
   the plugin and theme coders, the web hostings, etc. Isn´t it contradictory? As
   WP is done with ultimate security, it doesn´t need improvements by default actually
   and a simple user could make it vulnerable. I don´t want to think what a hacker
   could do…
 * Anyway, it´s not a question, just a thought. So it´s not necessary that you answer
   once again.
 * Regards.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815193)
 * The answers you are being given are not an evasion. There is simply absolutely
   no benefit, at this time, in changing or hiding these folders.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815320)
 * WP is not the ‘ultimate’ security. The devs just chose to spend more time actually
   making things security versus trying to make it _feel_ secure. They spend time
   checking for cross-scripting bugs, sql injection, and other serious issues, instead
   of adding in features that don’t help.
 * Think on it this way: The more options you put in to allow people to move /wp-
   admin etc, the more points of attack you’ve created. It’s not making anything
   more secure, it just makes you feel like it is, because, oh look! You moved it!
   No one will find it!
 * Except I could pick it out in probably 10 minutes lazy work. So what did you 
   do? Waste your time.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Feature request: secure WordPress’ is closed to new replies.

## Tags

 * [hide](https://wordpress.org/support/topic-tag/hide/)
 * [wp-admin](https://wordpress.org/support/topic-tag/wp-admin/)

 * In: [Requests and Feedback](https://wordpress.org/support/forum/requests-and-feedback/)
 * 8 replies
 * 4 participants
 * Last reply from: [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * Last activity: [13 years, 11 months ago](https://wordpress.org/support/topic/feature-request-secure-wordpress/#post-2815320)
 * Status: not a support question

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics