Get WordPress protected: rename the plugins folder
Giving the plugins folder a new name is one of the most underestimated ways that makes your WordPress protection stronger. And yet it’s free and easy.
Why it matters and how it works
According to our studies at Cerber Lab most hacker attacks and attempts to exploit plugin vulnerabilities assume that all WordPress plugins are located in the default folder for all plugins which is /wp-content/plugins/. Fortunately, the name of the folder can be easily changed to whatever you want in literally two simple steps. Does this mean that cybercriminals have zero knowledge about the ability to rename the folder and blindly attack the default plugin location? No, not always, but, the vast majority of WordPress powered websites use the default folder structure, and that’s why cybercriminals exploit this weakness with easy.
Our analytics shows that most websites are hacked by exploiting a vulnerability in an outdated plugin and in most cases the attacker has used the vulnerability in the PHP file that is located in the default WordPress plugins folder.
Hint: use the Cerber malware scanner to find a vulnerability in installed plugins.
How to rename the WordPress plugins folder
First of all, you need to have access to the files on your website via your hosting control panel which usually has a file manager. Alternatively, you can use an FTP client.
The first step is to rename the plugins folder to any name you want. Let’s assume we use the modules name. The name of the folder must contain ASCII characters only. Simply put “use Latin alphabet letters only”.
The second step is adding two define directives to the wp-config.php file which tell WordPress that we use a new name for the plugins folder. See the example below and note:
- You have to add directives to the beginning of the file on the next line after <?php.
- No trailing slashes.
<?php define('WP_PLUGIN_DIR', '/full/path/to/wp-content/modules'); define('WP_PLUGIN_URL', 'https://example.com/wp-content/modules');
The WP_PLUGIN_DIR constant defines the full path without trailing slash to the renamed plugins folder.
The WP_PLUGIN_URL constant defines the URL without trailing slash of the renamed plugins folder.
Once you’ve completed these two steps, you add another security barrier to your WordPress. Another security mechanism you should consider is enabling scheduled malware scans.
Possible issues and troubleshooting
The website is not loading. It usually means you’ve made a typo in the folder name. Carefully check the definitions that you’ve added to wp-config.php, the full path and the URL you’ve specified.
Some features stopped working. You happen to have a poorly designed or outdated plugin installed on the website. The best thing you can do is to get rid of it. There are no excuses for poor plugin developing. A plugin developer must obey WordPress coding standards.
How to restore the default folder name. Remove all lines with WP_PLUGIN_DIR and WP_PLUGIN_URL directives from the wp-config.php file, rename the plugin folder back to plugins.
Next steps that’ll strengthen your WordPress security
Last posts from WordPress security blog
- WP Cerber Security 8.1 March 6, 2019
- How to protect WordPress effectively: a must-do list March 1, 2019
- WP Cerber Security 8.0 February 20, 2019
- Development version 7.9.9 February 10, 2019
- Manage multiple WP Cerber instances from one dashboard February 4, 2019