Change wp-includes Path with WP Ghost

The WP Ghost plugin is packed with hack-prevention tools to protect your WordPress website from hackers. One of its most useful features is the option to change and hide important paths, such as the wp-includes folder.

Hiding the wp-includes folder makes it harder for hacker bots and tools to find weak spots in your WordPress core library. This simple step can significantly improve your website’s security.

In this tutorial, we’ll show how to easily change the wp-includes path using WP Ghost’s simple and easy-to-use settings.

What is the wp-includes path in WordPress?

The wp-includes path refers to the directory where the core files of the WordPress system are located.

This directory contains essential files responsible for the functionality and operation of your WordPress website. These files include core scripts, styles, classes, and functions required for various aspects of your site to work properly.

The wp-includes directory is a fundamental part of WordPress. It houses code that powers features such as handling database queries, generating HTML output, managing user sessions, providing essential functions and classes, and much more. It’s essentially the engine room of your WordPress site.

While the wp-includes directory is crucial for your site’s operation, it can also be a potential target for malicious attacks. Hackers often attempt to exploit vulnerabilities within these core files to gain unauthorized access to your website or carry out other malicious activities.

Protecting the integrity of the wp-includes directory is vital for maintaining the security of your WordPress site.

Why is it Essential to Secure the wp-includes Path?

Securing the wp-includes directory in WordPress is essential due to its critical role in your website’s functionality and overall security.

Here’s why it’s essential:

• Protect core functionality: The wp-includes directory contains the core files that enable essential functions in WordPress. These files manage critical aspects of your website, such as database interactions, user authentication, content rendering, and more. Unauthorized access or modifications to this directory can disrupt your site’s functionality and may even render it inoperable.
• Prevent unauthorized access: Hackers often target the wp-includes directory as a potential attack entry point. Exploiting vulnerabilities in core files can give them control over your entire website. Securing the path makes it harder for malicious actors to locate and exploit these vulnerabilities, effectively reducing the risk of unauthorized access.
• Minimize malware injection: If an attacker gains access to the wp-includes directory, they could inject script code into core files. This code could spread across your site and infect various pages, compromising user data and using your website for phishing or ransom. Securing the path helps prevent such injections and maintains the integrity of your website’s codebase.
• Enhance website privacy: Obscuring the wp-includes path adds a layer of privacy to your website. It keeps sensitive information about your WordPress installation hidden from prying eyes, making it less likely for attackers to gather intelligence about your setup.

Securing the wp-includes path in WordPress is vital for protecting your website’s core functionality, user data, and overall reputation. By taking this proactive step, you create a more resilient defense against potential threats and help ensure the long-term security of your WordPress site.

One way to boost WordPress security and prevent site hacking is to customize and hide the wp-includes path. This involves changing the URL or directory name of the wp-includes directory so it’s not easily discoverable. You can easily change the wp-includes path using the security plugin WP Ghost.

How to Secure Wp-Includes with WP Ghost

Activate Safe Mode or Ghost Mode

Begin by activating Safe Mode or Ghost Mode to open the path customization process.

1. Access your WordPress dashboard after installing and activating the WP Ghost plugin.
2. Go to WP Ghost > Change Paths > Level of Security.
3. Select Safe Mode or Ghost Mode. Safe Mode provides basic protection, while Ghost Mode offers more advanced security features.

Change wp-includes Path

With Safe Mode or Ghost Mode enabled, proceed to change the wp-content path.

1. Go to WP Ghost > Change Paths > WP Core Security.
2. Next to the Custom wp-includes Path, you’ll see the predefined custom name for the wp-includes path.
3. Enter a different name line “library” or keep the predefined custom name.
4. Click the Save button to apply the changes.

Note: Select a custom name that is not easily guessable to improve security.

Note: WP Ghost does not physically change the paths on your server. It uses rewrite rules to prevent any functionality errors.

Hide wp-includes Path

An essential action in protecting your website from hacker attacks is hiding the WordPress core common paths like wp-includes after changing the path name.

WP Ghost will add a filter in the config file to show a 404 error when a hacker bot or a non-logged-in user tries to access the wp-includes path and subpaths.

1. Go to WP Ghost > Change Paths > WP Core Security.
2. Switch to the Hide WordPress Common Paths option to hide the wp-includes path and sub-paths.
3. Select from Hide File Extensions the file extension you want to hide from wp-includes sub-paths.
4. Click the Save button to apply the changes.

By selecting JS and PHP file extensions from the Hide File Extensions option, you hide and secure files like Javascript and PHP, which hacker bots use to inject SQL and JavaScript into these files.

Run a Security Check

After saving your wp-includes path changes, it’s important to run a security check to verify that the new path is hidden.

1. Go to WP Ghost > Security Check.
2. Click the Run Full Security Check button to initiate a new security scan.
3. The plugin will verify that the wp-includes path has been successfully changed.
4. If the path is hidden as intended, the security task will be marked as complete.

Conclusions

The WP Ghost plugin allows you to protect your website’s core by changing the wp-includes path. By customizing the name and hiding it from the source code, you can block potential threats and improve your website’s security.

Before you start customizing the path, activating Safe Mode or Ghost Mode as your first layer of defense is essential. After making and saving your changes, be sure to run a security check to confirm that your modifications have taken effect.

As you explore the complex world of WordPress security, learning how to change the wp-includes path can provide a strong defense against potential breaches. Your website’s security is in your hands, and WP Ghost is a reliable partner on this journey.

Troubleshooting

Theme Breaks or The Layout Doesn't Load Correctly

If your theme appears broken or the layout doesn’t load correctly after modifying the WordPress core paths using WP Ghost, it could be due to incorrect server configurations.

When the new paths for CSS and JS files fail to load correctly, it typically indicates that they have not been appropriately configured. Let’s explore a couple of common scenarios and their corresponding solutions.

Here’s how to troubleshoot and resolve this issue:

Identify the problem

The issue typically arises because the updated paths for CSS and JS files cannot be found or the class names were changed in the source code using WP Ghost > Mapping > Text Mapping and are not found in CSS files. This can disrupt your theme’s functionality and layout.

Clear all cache

If you have a cache plugin or use server caching, clear all the cache, as the change of paths has significantly changed the website’s structure.

Run a Frontend Test

Go to WP Ghost > Change Paths, click the Frontend Test button, and follow the server configuration instructions, if any.

Check Your Server Configuration

For Nginx Servers:

• Ensure the new paths are added to the Nginx configuration.
• After updating the configuration, reload the Nginx service to apply the changes.
• Follow this guide for detailed instructions:
  How to Set Up WP Ghost on an Nginx Server

For Apache Servers:

• Verify that AllowOverride is set to All in your server configuration.
• This allows the .htaccess file to load the new paths correctly.
• Follow this guide for detailed instructions:
  How to Set AllowOverride All

Additional Resources

For a comprehensive guide on configuring your server to ensure themes and layouts load correctly, refer to this tutorial:
Theme Not Loading Correctly? Website Loads Slower?

By addressing these configuration issues, your theme and layout should display correctly after path changes.

After Changing the wp-includes Path Some Plugins are not Functioning Properly

Clear all cache

If you have a cache plugin or use server caching, clear all the cache, as the change of paths has significantly changed the website’s structure.

Run a Frontend Test

Go to WP Ghost > Change Paths, click the Frontend Test button and follow the server configuration instructions, if any.

Check path configuration

Review the custom wp-includes path you’ve set to ensure no typos or errors are causing the issue.

Revert changes

Revert to the original wp-includes path settings temporarily to determine if the path change is causing the issue.

Plugin compatibility

Deactivate the other plugins and check if the website works correctly. If it works, activate the other plugins one by one to identify the one that is not working correctly with the custom wp-includes path.

Test with the default theme

Switch to a default WordPress theme (e.g., Twenty-Twenty-Five) to check if your custom theme is causing the issue.

Plugin settings

Review the settings of any specific plugin that may be causing the issue, as some might need adjustments after changing the wp-includes path.

However, the root cause is often server configuration, especially if the rewrite rules haven’t been correctly applied. It’s essential to follow the instructions in WP Ghost according to your server type and ensure proper configuration.