Change wp-content

@postrophe

That just proves that there is a blank index.php file present in your wp-content directory. As there is with all default installations of WP 3.0

Everything else located in your themes, plugins, and uploads folders are as plain as day in your source code. They are web accessible directories that display your theme and uploaded content.

@claytonjames yup, that’s my point…

So, as far as I can understand, there’s no way to hide the wp-content from the source? Wooow…than at this chapter is “1-0” for Joomla…which I really don’t need for this project…

Hi,

Sorry I missed that ” source code “.

I’v seen some tread on the net about that. Can not remember where.

Good luck.

Pierre

@claytonjames

Everything else located in your themes, plugins, and uploads folders are as plain as day in your source code.

Yes

They are web accessible directories that display your theme and uploaded content.

No

( well, I’v left one directory of PDF’s to be accessible )

Pierre

The idea here is to hide any “wp-trace” from the source. If an attacker knows what CMS are you using…you are extremely vulnerable.

I can’t really think of any reason to go out of ones way to hide them if file and directory ownership and permissions are correct.

“Hacking” by script seems to make that an weak solution. If you’re using wordpress (or any other known platform ) the core file and directory structures are also known to anyone who fabricates a tool to search for un-patched versions of vulnerable files. And yes, those could include searches for vulnerable plugins as well, but I think any real threat is more likely to come from weaknesses in plugings or themes from un-trusted sources – which have to be installed by the user. Or from errors and exploits in your ftp account, or server administration, than it is from the web. – Just my opinion, mind you.

They are web accessible directories that display your theme and uploaded content.

No

Yes, they are. The content (files) located in the “Themes”, “Uploads”, and “Plugins” directories are all accessible with any web browser. The directories may not be “browse-able” due to the presence of blank index files or “Options -Indexes” in an .htaccess file, but the files in them are viewable.

Here’s an image from your uploads folder.

https://pierrecote.fondationcem.org/wp-content/uploads/2009/12/Old-Raman-road1.png

@claytonjames totally agree, if you think at “experienced attackers”, not script kiddiez that just found a fresh exploit…

Like…a guy comes on the site and sais “hey, what CMS are they using”. They take a quick look at the source, and in 5 seconds voila…they know that you are using WP.

If such a person will not see any trace of wp-content than it will – at least – think that the website is using a custom platform and let it go.

Agreed, for persuasive hackers, this thing is not a problem, as they can try to access a system-wide directory, like /wp-admin/ (that you can’t rename), and see that you’r using WP.

So the basic idea is to make at least a “first impression” of security, for those who are more curious than they should.

Sillybean
WordPress Hidden Gems: Hiding wp-config.php

Your configuration file contains your database username and password, so it’s important to keep this file secure. If you are installing WordPress in your web root directory (such as public_html), you can move your wp-config.php file to the parent directory — one that isn’t readable from a browser — without changing any settings. WordPress will automatically recognize the file’s new location.

to me this is way better than trying to move/hide folders

@samuel B – as replied to ClaytonJames, yes, also this is a very good way to secure a WP site.

Still, the idea in this thread is to hide /wp-content/ from the source…and as far as I understood until now there’s no way to do that.

@claytonjames

You got me there. I didn’t digg enough.

Hummm… I guess its a “first impression” of security, then.

Thanks, I’m waking up, now.

Pierre

if you think at “experienced attackers”, not script kiddiez that just found a fresh exploit…

I don’t think that at all. Anyone with ten minutes and ill intent can download a script and try to hack their way into any platform. It doesn’t matter who they are. That sort of info flows like wine if you have a mind to look for it.

If such a person will not see any trace of wp-content than it will – at least – think that the website is using a custom platform and let it go.

It’s not usually “someone” as much as automated scripting, that looks for entry points. No, not to make a first impression for anyone, but to learn how to properly secure what you have. An easy – if not exaggerated – example…

type your domain name into the address bar and add readme.html to it. Like this: //pierrecote.fondationcem.org/readme.html

Now there’s something you can remove if you hadn’t already thought of it. There’s plenty you can do. Here is some basic info to get you started with things that you can control.

Hardening WordPress

And again, this is all just my opinion. The more you can do to protect yourself, the better off you are. Don’t allow my thoughts to keep you from searching for a solution that achieves what you want. I would be interested to know what you might find.

Good luck to you!

@claytonjames – thanks for your tips! I’ve already removed readme.html hehehe, that’s a nice thing to begin with ??

I’ll keep searching for a way to achieve the “no /wp-content/ in source” goal and…who knows…maybe I’ll find a way.

So, anybody…any ideas? ??

and what about the method explained here: https://www.nexwp.com/stories/how-to-protect-the-wp-content-folder-of-wordpress ??
it seems to work quite nicely.