Get WordPress protected: rename the plugins folder
Giving the plugins folder a new name is one of the most underestimated ways that make your WordPress protection stronger. And yet it’s free and easy.
Why it matters and how it works
According to our studies at Cerber Lab most hacker attacks and attempts to exploit plugin vulnerabilities assume that all WordPress plugins are located in the default folder for all plugins which is /wp-content/plugins/. Fortunately, the name of this folder can be easily changed to whatever you want in literally two simple steps. Does this mean that cybercriminals have zero knowledge about the ability to rename the folder and blindly attack the default plugin location? No, not always, but, the vast majority of WordPress powered websites use the default folder structure, and that’s why cybercriminals exploit this weakness with easy.
Our analytics shows that most websites are hacked by exploiting a vulnerability in an outdated plugin and in most cases the attacker has used the vulnerability in the PHP file that is located in the default WordPress plugins folder.
Hint: use the Cerber malware scanner to find a vulnerability in installed plugins.
How to rename the WordPress plugins folder
First of all, you need to have access to the files on your website via your hosting control panel which usually has a file manager. Alternatively, you can use an FTP client.
The first step is to rename the existing WordPress plugins folder to any name you want. Let’s assume we use the modules name. Note that the name of the plugins folder must contain ASCII characters only. Simply put “use Latin alphabet letters only”.
The second step is adding two define directives to the wp-config.php file which help WordPress to recognize and use the new name of the plugins folder. You may not use a built-in file editor in the WordPress admin dashboard at this step. Use a file editor from within your hosting control panel or an FTP client to edit the wp-config.php file. See an example below and note:
- You have to add directives to the beginning of the file on the next line after <?php.
- You have to use your full path to your plugins directory for WP_PLUGIN_DIR. Hint: You can find the full path to the standard plugins folder on the Tools / Diagnostic admin page. It’s shown in the Filesystem section in the “WordPress plugins folder” row.
- No trailing slashes.
<?php
define('WP_PLUGIN_DIR', '/full/path/to/wp-content/modules');
define('WP_PLUGIN_URL', 'https://example.com/wp-content/modules');
The WP_PLUGIN_DIR constant defines the full path without trailing slash to your renamed plugins folder.
The WP_PLUGIN_URL constant defines the URL without trailing slash of your renamed plugins folder.
Once you’ve completed these two steps, you add an additional security layer to your WordPress. Another security mechanism you should consider is enabling scheduled malware scans.
Possible issues and troubleshooting
The website is not loading and showing errors. It usually means you’ve made a typo in the folder name. Carefully check the definitions that you’ve added to wp-config.php, the full path, and the URL you’ve specified. You have to specify the path and the URL of your website. Do not copy them from the example above and do not try to rename the plugin folder or edit the wp-config.php file from within the WordPress dashboard.
Some features stopped working. You happen to have a poorly designed or outdated plugin installed on the website. The best thing you can do is to get rid of it. There are no excuses for poor plugin development. A plugin developer must obey WordPress coding standards.
How to restore the default name of the plugins folder
- Remove all lines with WP_PLUGIN_DIR and WP_PLUGIN_URL directives from the wp-config.php file
- The default name of the folder where WordPress plugins reside is plugins so rename the plugin folder back to plugins
Next steps that’ll strengthen your WordPress security
- Enable Custom login page
- How to block spam user registrations
- How to block spam form submissions
- How to block access to WordPress REST API
- How to disable using a specific username
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
WordPress 5.4.1. A security update fixes seven XSS vulnerabilities
WP Cerber Security 8.6.5
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
I tried changing the directory but it didn’t work.
Looking for more information I found something that works.
define( ‘WP_PLUGIN_DIR’, dirname(__FILE__) . /content/mod’);
define( ‘WP_PLUGIN_URL’, ‘http://example.com/content/mod’);
Why this way if it works and not the way you have in the post?
Has anything changed in the latest versions of WordPress?
The same thing happens to me with WP-CONTENT
Thanks
Yes, you can use this way too but it leaves some room for uncertainty because a constant should be constant. The perfect way is to define a static value like a string. It didn’t work for you most likely because the path you specified for WP_PLUGIN_DIR was not correct. Possibly because you had changed the default wp-content path to content. In this case, the full config should be:
// no trailing slashes
define('WP_CONTENT_DIR', dirname(__FILE__) .'/content');
define('WP_CONTENT_URL', 'https://example.com/content');
define('WP_PLUGIN_DIR', WP_CONTENT_DIR . '/mod');
define('WP_PLUGIN_URL', WP_CONTENT_URL . '/mod');
Thanks!
I started by following this other post https://wpcerber.com/turn-wordpress-into-fort-knox/
But I couldn’t get it to work well.
Yes, that approach requires some technical background.
Hello Gregory,
well, I have a similar problem to make things work using those two extra lines of code in the config file.
I changed the plugin-folders name into “whatever”, located in: … /wp-content/
I specified the direction and url in the config file like:
define(‘WP_PLUGIN_DIR’, ‘/wp-content/whatever’);
define(‘WP_PLUGIN_URL’, ‘https://example.com/wp-content/whatever’);
and put all this in the first two lines right after the <?php in the config file.
The website is loading without problems and the plugins, which make the look of the website, seem to work, but:
I use your plugin WP Cerber to change the log-in page from wp-login.php to whatever2. Everything worked out very nice before, but after changing the code in the config file and renaming the plugins folder, the website loads with an error not to have found the page … /whatever2
Maybe the automated change of the log-in page causes some trouble. Do you have any advice?
Thanks and regards,
Sven
Please submit a support request on the support forum: https://wordpress.org/support/plugin/wp-cerber/
Hi.. I’m a little confused on the instructions…
Let’s say my full path to the plugins folder is: /home/eaiksdkg768sk/public_html/wp-content/plugins and I want to change the “plugins” word to “test123”
So, would this be the correct directives? (See below)
<?php
define('WP_PLUGIN_DIR', '/home/eaiksdkg768sk/public_html/wp-content/plugins/path/to/wp-content/test123');
define('WP_PLUGIN_URL', 'https://websitedomain.com/wp-content/test123‘);
My confusion is: Am I leaving the word "path" in the first line?
No. The correct value for WP_PLUGIN_DIR is:
define('WP_PLUGIN_DIR', '/home/eaiksdkg768sk/public_html/wp-content/test123');Okay, thank you Gregory.