Ultimate Website Security Tools

Scan your website for Malware
WordPress File & Directory Structure and Security

All WordPress files: themes, plugins and downloads are stored on your website and can become a real mess.

What Are the Benefits of Understanding WordPress File and Directory Structure?

You don’t have to know anything about WordPress to run a WordPress website. You can, however, solve many common problems by understanding how WordPress saves files and uses directories.

You can achieve that by following this guide:

– Understand which WordPress files and folders are part of core;
– To understand how WordPress stores your images and media in a library;
– Where WordPress stores themes and plugins;
– Where WordPress configuration files are stored;
– With this information, you’ll also know which WordPress files should be backed up.

You can also perform troubleshooting tasks such as disabling all WordPress plugins, enabling a default theme, or fixing other common WordPress errors. We will also go over the directory structure of WordPress. You will first need an FTP client to connect to your WordPress server. A simpler alternative to FTP is the file manager. It is a web application that is integrated into the cPanel of your web hosting. When you access your WordPress website via File Manager or FTP, you will see the files and directories. The files and folders framed in red are important WordPress files. WordPress requires those files and folders to run.  You should not edit these files yourself.

Here is a list of the most important WordPress files and folders you’ll find at the root of your WordPress website: [Folder] wp-admin; index.php; license.txt; readme.html; wp-activate.php; wp-blog-header.php; wp-comments-post.php; wp-config-sample.php; wp-cron.php; wp-links-opml.php; wp-load.php; WP-login.php; wp-mail.php; wp-settings.php; wp-signup.php; wp-trackback.php and xmlrpc.php.

WordPress configuration files

The root directory of WordPress contains certain configuration files. You can find important settings for your WordPress website in these files.

.htaccess – A server configuration file that WordPress uses to manage persistent connections and redirects.

wp-config.php – It tells WordPress how to access your database. It also sets some global settings for your WordPress website.

WordPress File & Directory Structure and Security 03 - Virusdie

index.php – The index file is the base file that loads all of WordPress and executes user requests. This is a WordPress record.

It is likely that you will have to change the “wp-config.php” or “.htaccess” file frequently. Be very careful when changing either of these files. One small mistake can cause your website to become inaccessible.

Always make a backup of these two files before editing them.

If you don’t see the .htaccess file in your directory, it’s probably hidden.  It depends on your configuration of your WordPress blog whether you see these files in the root directory.

robots.txt – Contains instructions for browser indexing favicon.ico – WordPress sometimes creates a favicon file.

What’s in the folder wp-content

WordPress stores everything not included in WordPress core in the “wp-content” folder. It is commonly believed that you can edit files and folders in a “wp-content” folder with ease. However, this is not entirely true. Therefore, to understand how the “wp-content” folder works and how to deal with it, let’s take a look at it. The contents of a wp-content folder can vary from one WordPress website to another. But all WordPress websites usually have the following organization:

[folder] Themes
[folder] plugins
[folder] upload index.php

WordPress stores your themes in the folder “wp-content / themes /”. You can edit the theme file, but it’s not recommended. Once you update a theme to a newer version, the changes will be overwritten when you update.

Therefore, it is recommended that you create a child theme for the WordPress theme to make customizations.

Downloaded and installed WordPress plugins are located under “wp-content / plugins /“. You should not edit the plugin files directly unless you created the plugin just for your WordPress website.

WordPress stores all images and media in the folder “/ wp-content / uploads /“. Downloads are organized by default in “/ year / month / files“. Each time you create a WordPress backup, you must include it in the “upload” folder.

You can download fresh copies of the WordPress core, your themes and plugins from their respective sources. But if you lose the transfer file, it will be very difficult to restore it without a backup. Many WordPress plugins can also use the wp-content folder as a place to create their own folders. Other folders may contain files that you can safely delete. For example, cache plugins can cache in their own folders.

Changing your WordPress file and directory structure (mainly for the security reasons)

First thing first. Before attempting any WordPress structure changes, back up your WordPress website. You can restore your site’s content from this backup if something goes wrong.

1. Edit your wp-content’s name

First, log into your site using your favorite FTP client and rename the “wp-content” folder to something else. It can be renamed to “content”. It can be renamed to anything you like, such as assets or files. You just need to ensure there are no spaces or other obscure characters in it.

2. Hide the wp-content folder

Want to hide the wp-content/uploads folder from others? Here is one way to do it. Open your FTP client. Navigate to wp-content/uploads. Make a new file and name it “.htaccess” and open it. Copy and paste the following code into the file: # Order Allow, Deny. Deny from all. Allow from all. Save the changes.

3. Changing the location of some WordPress folders

E.g. since WordPress version 2.6, it is possible to move the wp-content directory to a new location. WP-content is where themes, plugins, and images are stored. It is possible, however, to only modify the plugins folder location rather than the entire wp-content folder.

Recommendations for WordPress file permissions

What is a WordPress file permission? WordPress File & Directory Structure and Security 02 - Virusdie

Files can be added and removed by users WordPress. The good thing about this is that it allows you to add, delete, and change existing files in the wp-content directory. However, a WordPress administrator can prevent users from accessing this directory regardless of whether they are permitted to upload or delete content. The best way to avoid this situation is to set the file permissions for the wp-content directory. File Permissions in WordPress file permissions for the wp-content directory depend on your operating system and the original setup of the website.

You can edit your WordPress backend via cPanel or FTP. Select the folder whose permissions you wish to change, and then select “chmod“. This will bring up a box to change the file permissions.

1. Changing WordPress file permissions using cPanel

Log in to your web hosting account and access cPanel. Inside cPanel, click on File Manager. In the public_html folder, right-click on the file or folder you wish to modify. You can then select Permissions and change the Read/Write/Execute options for all three permissions. At the end as a final step select the permissions you want and choose ‘Change permissions’ to save your changes.

2. Using FTP to change WordPress file permissions

Follow these steps to set up permissions for your domain or website via FTP:
First, connect to your web server using your FTP credentials. Next, you will have to go to the public_html folder, where you will see all your files and folders. Finally, select the files or folders for which you want to edit permissions and click the “File Permissions” link. At the end click OK to save changes.

The Difference between 644 and 777

Permissions of 644 mean that the owner of the file has full access, while group members and other users on the system have read-only access. Setting a file or folder to 755 permissions is the best solution. The file will be available for reading and writing to anyone, but it won’t be executable.


In order for you to walk the walk, you need to know your environment. The WordPress directory structure is your first step. You must know location of all your files, especially the wp-admin, wp-content, and wp-includes folders. The WordPress core files are next. You must familiarize yourself with wp-config.php, functions.php and .htaccess.

Even though it’s scary to poke around in WordPress directories and files, you’ll quickly find your way around. This knowledge will be extremely useful when troubleshooting or performing simple hacks.

Never ever forget security side and click on the link on time – Virusdie team is here to help and to prevent.


Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.

Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.