Many people – including me – recommend to install WordPress in a subdirectory to enhance security. This allows you to create a subdomain pointing to your wp-content Directory and to change the WP_CONTENT_URL in you wp-config.php to use this subdomain. This hides the name of the subdirectory WordPress is installed in from the HTML code.
Let’s say your domain is
www.example.com and you uploaded an image named
photo.jpg in december 2016. The URL of the image will be
www.example.com/wp-content/uploads/2016/12/photo.jpg. And now let’s say you installed WordPress in a subdirectory named
mysite, but still using
www.example.com without the directory as your home URL. In that case the path
mysite will not be visible in the URL of your pages. If you use a secret name for the subdirectory – different from
mysite – it will not be possible for hackers to guess that your admin dashboard is accessible on
Theoretical. Your images will still betray the physical path. The URL of our image above now will be
www.example.com/mysite/wp-content/uploads/2016/12/photo.jpg. Using a subdomain that points to the
/mysite/wp-content directory on your webserver closes this security gap. Let’s say your subdomain is
content.example.com, then the URL of the image will be
content.example.com/uploads/2016/12/photo.jpg. The path
mysite is successfulle hidden from your HTML code.
But there’s still a problem. For easier access to the admin area WordPress redirects several URLs to it. Typing in
www.exmaple.com/wp-admin in a browsers address bar in our example will automatically redirect to
www.exmaple.com/mysite/wp-admin. The same if you try
www.exmaple.com/admin – plus some other URLs.
This code snippet prevents WordPress from betraying the path WordPress is installed in. Trying to access
www.exmaple.com/wp-admin then will cause a 404 error. Using this simple code securely hides your WordPress location. The admin area will be available only for people who know the correct URL.