5 Tips for WordPress Power Users

Tweet

WordPress not only gives users the ability to create powerful websites with great features, it also allows users to make customizations to add extra security, streamline deployment and assist with administration.

Installing WordPress is very simple and easy, even beginners with a basic knowledge of the web can do it. In this article, we go beyond the basics and discuss 5 tips for WordPress power users:

  1. wp-config can reside outside of the root directory
  2. WordPress can be installed via the command line using WP-CLI
  3. You can enable SSL for logins and to access the Dashboard
  4. You can easily enable two-factor authentication
  5. WordPress can be installed in a subdirectory (and still run it from the web root)

1. wp-config Can Reside Outside of the Root Directory

wp-config is the primary WordPress configuration file. It contains your database name, database user and password, unique authentication keys, table prefix and other important information.

To add an extra layer of security, you can move wp-config.php outside of the WordPress installation directory. This means for a site installed in the root of your web hosting space (e.g the public_html directory), you can save wp-config.php outside of the web root folder.

You can also create a new directory outside of public_html or you can save wp-config.php in an existing directory, and WordPress just works.

2. WordPress Can Be Installed Via the Command Line Using WP-CLI

WP-CLI stands for WordPress Command Line Interface. WP-CLI is a set of command-line tools for managing WordPress installations and it’s extremely powerful. You can perform common tasks very easily such as updating WordPress, generating backups, updating plugins and setting up WordPress Multi-site just to name a few.

The WP-CLI project website has all the details on how to install and use WordPress’ command line interface. If you use DreamHost, WP-CLI is installed on all their servers. For more information, you can visit the DreamHost Wiki.

3. You Can Enable SSL for Logins and to Access the Dashboard

Normally, most of us log into our WordPress sites without SSL enabled, but WordPress allows you to force SSL logins and access to the Administration Dashboard.

To enable this, all you need to do is add the following to your wp-config.php:

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
/ That's all, stop editing! Happy blogging. /

You also need an SSL certificate setup for your domain. SSL certificates will cost you around $10 to $50+ annually. The WordPress Administration Over SSL Codex page has all of the details for those wanting to know more.

4. You Can Easily Enable Two-factor Authentication

While this isn’t a native feature of WordPress and requires a plugin, we felt that it’s related to some of the other tips covered in this article and deserves a mention.

Two-factor (or two-step) authentication is the process of requiring 2 pieces of information to log in, not just a password. Usually it’s a hardware token such as a Yubikey or a service such as Google Authenticator or Duo.

Some of the various security plugins also offer two-factor authentication.

5. WordPress Can Be Installed in a Subdirectory

Did you know that WordPress allows you to customize your installation directory as well? Normally, you would install WordPress in the root directory (e.g public_html) but WordPress also allows you to install it in a subdirectory http://domain.com/wphere and your site address (URL) will remain same http://domain.com/.

Here is a screen shot of WordPress installation in root directory.

The public_html Directory

Your login URL should look something like this:

http://www.domain.com/wp-admin/

If you install WordPress in its own directory, suppose you have named your directory layer213 your login URL will be something like:

http://www.domain.com/layer213/wp-admin/

You can name the directory where the WordPress files will be located to anything you like. In my case, you can see I have named it layer213.

One reason for wanting to do this is to move the files and directories that clutter up your web root to somewhere else. Your website will still appear to be installed in the web root and your URLs will still work as normal.

So, in our example your WordPress directory structure would look like:

http://www.domain.com/layer213/wp-admin/

Your site address will remain at:

http://www.domain.com/

That means that users will still visit:

http://www.domain.com/

To view your site Dashboard, you would visit:

http://www.domain.com/layer213/wp-admin/

It may seem strange, but it’s a fully supported configuration, covered in more detail at the WordPress Codex.

How to Change the WordPress Address (URL) in the Dashboard

Please note: You should only attempt to do this if you have FTP/SFTP access to your server and you are comfortable getting hands-on with copying and moving files.

Let’s walk through the steps needed to install WordPress in its own directory, or if you have already installed it in a subdirectory, how can you change these settings.

Log in to your WordPress dashboard go to Settings and General. Below is a screenshot of WordPress Dashboard before moving the WordPress files.

WordPress Settings Site Address

Now change WordPress Address (URL) with your directory name, whatever you want to name your directory. In my example, I have given it layer213. Site Address (URL) will remain same. Here is a screenshot after changing WordPress Address (URL).

WordPress Settings

Now click Save Changes. Don’t worry if you see any errors or your site without any styles. This is normal, we are yet to move the files the new location.

Moving the WordPress Files

Now log in your web hosting Control Panel (cPanel or Plesk etc) or connect via FTP/SFTP. Go to your File Manager and create a new directory. Name it layer213 (change this to whatever name you’d like), the name must be the same as what you entered in the WordPress Dashboard.

Select all the WordPress files except the new directory that you created. In my case it is layer213 and move all files to this new directory.

Copy (Do NOT MOVE!) the index.php and .htaccess files from the new WordPress directory into the root directory of your site (e.g public_html).

Download index.php to your local computer and open it in a text editor. Find the following line:

require( dirname( __FILE__ ) . '/wp-blog-header.php' );

Change it to the following, using your directory name for the WordPress core files:

require( dirname( __FILE__ ) . '/layer213/wp-blog-header.php' );

Save the changes and upload it to the root directory (e.g pubic_html) of your web server.

Where is .htaccess?

When you open cPanel and click on File Manager, check the box which says ‘Show hidden files’. Hidden files like .htaccess will then become visible in your File Manager.

If you’re running WordPress on a Windows IIS Server and have enabled Permalinks, you will be using web.config rather than.htaccess.

Logging into your Dashboard

Now log into your WordPress Dashboard by typing http://www.domain.com/layer213/wp-admin/ and update your permalink structure if you have it set up. If for any reason WordPress fails to update the permalink structure, it will display the new rewrite rules. Copy and paste these new rules manually into .htaccess file which resides in the root directory.

If You Already Have a Subdirectory Installation

If you have already installed WordPress in a subdirectory, you will have to copy index.php and .htaccess files to your root directory.

Before moving these files, log into your WordPress Dashboard and go to Settings and then the General tab.

Change the Site Address (URL) to your root directory. For example, if the URL is http://domain.com/layer213 then change it to http://domain.com and Save Changes.

Don’t worry if you see any errors, this is expected.

After changing the Site Address (URL) now copy (don’t move) index.php and .htaccess from layer213 (in my example above) to the root directory of your site (e.g public_html).

Now open your index.php in any text editor and change following line:

require( dirname( __FILE__ ) . '/wp-blog-header.php' );

To the following code:

require( dirname( __FILE__ ) . '/layer213/wp-blog-header.php' );

Change layer213 to your directory name. Save the changes and then upload the file to the root directory. Your log in address will remain same as before.

You can see a screenshot below after giving WordPress it’s own directory.

The public_html Directory After Moving WordPress

Suggestions

Please remember your site will not function correctly when carrying out some of the above steps. If you have lots of visitors you might want to enable Maintenance Mode. You can install a free Maintenance Mode plugin to enable Maintenance Mode with a few clicks.

Get your free chapter of Level Up Your Web Apps with Go

Get a free chapter of Level Up Your Web Apps with Go, plus updates and exclusive offers from SitePoint.

  • BennyBrown

    Google is paying 80$>>CLICK NEXT TAB FOR MORE INFO AND HELP

  • http://www.tailormadesolutions.com.au Bradly Sharpe

    I use Authy for 2 factor authentication on my website, works well! Have iOS and Android apps and a web interface

    • KerryJTruong

      Google is paying 80$ per hour! Work for few hoursand have more time with friends & family! On tuesday I got a great new Land Rover Range Rover>>CLICK NEXT TAB FOR MORE INFO AND HELP</b

    • http://chrisburgess.com.au/ Chris Burgess

      Hi Bradly, looks good! Will check it out, thanks for sharing :)

    • Tahir Taous

      Thanks for sharing Bradly.

  • seabee

    I used to keep all my WP sites in a sub-directory, as above. However Migrate DB Pro doesn’t work well with that arrangement (had to patch up the database manually on every update). Have contacted them, but they were in disagreement and seems not commonly required (love Migrate DB Pro apart from this issue).

    Putting wp-config outside sounds great, but how to tell WP where it is? Should be in the article.

    • http://chrisburgess.com.au/ Chris Burgess

      Hi seabee, you don’t need to tell WordPress — it automatically looks for the file:

      Source: http://codex.wordpress.org/Hardening_WordPress

      Securing wp-config.php

      You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

      Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.

      Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

      As you mention, some plugins/themes/tools expect things to be in certain spots…

  • Tahir Taous

    Thanks for sharing your experience, i think it depends on your experience i personally find it simple and easy to install WordPress in its own directory.

  • http://www.rublon.com/ Michal Wendrowski

    Rublon offers two-factor authentication without a phone (only needed during setup): https://wordpress.org/plugins/rublon/