Security Log

A blog only about WP security.

WP Security / Security Log / Hide WordPress With Custom Code

Hide WordPress With Custom Code

A WordPress security plugin is great to help protect your site from brute-force attacks. If your website gets a massive amount of traffic, then it may make sense to make your site a little more obscure so that bots do not attempt to attack you in the first place.

Here are some instructions on how to hide your WordPress site. (Use these instructions at your own risk.)

Change Your Directory Structure: /wp-content/

If you want to change your directory structure, the following steps will guide you and keep your site compatible with future core, plugin, and theme updates.

Warning: Read through all the steps before implementing anything on a live site to ensure you have the proper access to make all these changes.

  1. Place the code below in your wp-config.php file just before the “/* That’s all, stop editing! Happy publishing. */”Warning: The code below will break your site until all the remaining steps are completed.
    /** Absolute path to the WordPress directory. */
    ( defined('ABSPATH') ) || define('ABSPATH', __DIR__ . '/');
    //content directory: /wp-content/ => /content/
    define( 'CONTENTDIR', 'content' );
    define( 'WP_CONTENT_URL', '/' . CONTENTDIR );
    //plugin directory: /wp-content/plugins/ => /content/plugins/
    define( 'PLUGINDIR', CONTENTDIR .'/plugins' );
    define( 'WP_PLUGIN_URL', '/' . PLUGINDIR );
    //mu plugins durectory: /wp-content/mu-plugins/ =? /content/mu-plugins/
    define( 'MUPLUGINDIR', CONTENTDIR .'/mu-plugins' );
    define( 'WPMU_PLUGIN_URL', '/' . MUPLUGINDIR );
    //uploads directory: /wp-content/uploads/ => /content/uploads/
    define( 'UPLOADS', CONTENTDIR . '/uploads' );
  2. You will need to rename the wp-content directory.
    1. Connect to your website using FTP, SFTP, or SSH.
    2. Rename the directory /wp-content/ to /content/. This will subsequently affect the other directories as this directory is the parent of them.
    3. Your website should be mostly functional at this point, but you will notice that there are broken images throughout the site. Fix this in the next step.
  3. Update the database references.
    1. Login to your site
    2. Go to the plugins and click “Add New Plugin” then search for and install the plugin “Better Search & Replace
    3. Once installed, go to Admin > Tools > Better Search & Replace
    4. Fill in the form: Search for “wp-content” and Replace it with: “content” and uncheck the checkbox “Run as dry run”, then click the “Run Search/Replace” button.
    5. Now, your site is referencing the correct files, and the site should be working properly.

Change REST-API /wp-json/ to /api/

Warning: By changing the REST-API URL, you must ensure that your code does not directly reference the REST-API URL. Always use this function to get that URL: get_rest_url()

Warning: Some plugins have hardcoded the REST endpoint URLs in their code. Before you do this, make sure that you search the code of all plugins that you have installed for the string “wp-json”. If you find someone referencing it, then it is likely not safe to use as their code will break.

Add the following code snippet to your functions.php file in your custom theme or child theme:

* Replaces 'wp-json' with 'api'.
* Immediately flush your rewrite rules so that this change is applied.
add_filter( 'rest_url_prefix', function () {
	return 'api';
} );

Change “wp-includes” references in the source code

There are no detailed instructions on this at this time.

  1. Basically, you need to register a rewrite rule for “includes” and then attach some code that then subsequently maps that to the wp-includes directory.
  2. Replace the source code output where the pattern “wp-includes” is with “includes”.
  3. Flush the rewrite rules to make the changes active.

Change “wp-block” references in the source code

There are no detailed instructions on this at this time.

Warning: If you already have styling created for your blocks, this will likely break all of that.

  1. Write a script that fixes all CSS dependencies that style the wp-block
  2. Replace all classes that involve “wp-block” in the HTML source code output
  3. Replace all references to wp-block in your own SCSS and CSS files.
  4. Don’t forget to clear cache, as HTML and CSS tend to be cached by various caching plugins.


If you notice any incorrect or missing information on this page, please let us know.