The WordPress file system – Security Boulevard

WordPress is, at its core, an online utility, and similar to each different internet utility, it requires and makes use of a labyrinth of folders and recordsdata to work. These recordsdata and folders embody all the pieces from entry controls and WordPress’ core code to the plugins, themes, media you add, and all the pieces in between.

Posts and pages will not be saved within the file system. These are saved within the SQL database in a desk titled wp_posts. Keep this in thoughts once you’re doing WordPress backups.

Regardless of the place your WordPress web site is put in, all the pieces required for the web site to run, together with customizations, resides on this folder construction. This construction is similar throughout all installations and, opposite to fashionable perception, not that obscure and navigate.

In truth, it’s so simple as navigating folders and recordsdata in your laptop. Knowing your method round all the folders and recordsdata that make up WordPress has many advantages. It can’t solely assist you to make customized modifications but in addition troubleshoot points in addition to hold your web site safe. Speaking of safety, understanding how the WordPress file system works, also can assist you to guarantee you haven’t any exposed backup and unreferenced files in harmful locations.

To assist you to take advantage of out of WordPress, this text will take a deep look into how these folders and recordsdata work, together with learn how to entry them and what you could find in each. If you’re caught on learn how to entry these recordsdata, our information to accessing WordPress files will assist you to sail straight by the method.

The significance of understanding the WordPress file system

There are quite a lot of good the reason why familiarizing your self with the WordPress file system is a good suggestion. From troubleshooting and upkeep to normal information, understanding how one thing works is all the time factor.

Knowing the place the WordPress media library folders are positioned, for instance, may help you add footage ought to the WordPress file add characteristic fail to work. You may additionally have to edit the WordPress config file, do a handbook backup, and even search for uncovered backup and unreferenced recordsdata – all issues you’ll be able to simply do from throughout the WordPress file system.

There are a number of alternative ways you’ll be able to entry the WordPress file system, with FTP usually being one thing of the golden commonplace. While you won’t have to entry the filesystem every day, it’s all the time good apply to know learn how to entry it and be capable of navigate your method round with ease.

Let’s get began.

The root listing

The root listing is the highest-most stage folder which comprises all the subdirectories and recordsdata that make up WordPress. If you will have a shared or managed WordPress internet hosting account, you’ll routinely end up within the root folder as quickly as you connect with the server.

On the opposite hand, in case you’re operating WordPress on a devoted server, you will have to navigate to the foundation listing your self. The location of your web site’s root listing on a devoted server depends upon the Operating System and internet server that you’re utilizing.

When the server is being configured, directors can all the time arrange customized directories, so in case you can not discover the folder in its default location. Make positive to seek the advice of with the server administrator for the customized location deal with.

By default, the general public folder of the most well-liked internet server are:

Windows (IIS) C:Inetpubwwwrootwordpress
Windows (XAMPP) C:xampphtdocswordpress
Linux (Apache2) /var/www/html/
Linux (Nginx) /var/www/html

Once you entry the foundation folder, you’ll be met with quite a lot of folders and recordsdata. These folders and recordsdata make up all the pieces you see on WordPress, bar what will get saved within the database.


In this part, we are going to undergo every folder and file to see what position each performs in a typical WordPress set up.


The wp-admin folder comprises a number of recordsdata and sub-directories, all of which work collectively to make the WordPress administration backed work. You can very simply see this folder at work once you log in to your WordPress web site again-finish. Here is the way it works –

When you entry your administration console again-finish, you sometimes go to You may need observed that the final little bit of that URL – ‘wp-admin’ is the folder’s title. As such, once you log in to your WordPress, what you’re successfully doing is accessing that folder by a browser.

Within this folder, we discover some attention-grabbing and important recordsdata. These recordsdata are thought of core recordsdata as they make WordPress work. Some notable examples embody:

  • admin.php – The major driver that makes wp-admin work, together with checking permissions and connecting to the WordPress MySQL database
  • replace.php – This file comprises the code by which your WordPress web site checks for updates and in addition runs the replace each time a brand new model comes out

wp-content material

The wp-content material folder is the one folder that sees essentially the most motion out of all WordPress folders. It consists of a number of sub-directories, together with:

  • plugins – This is the place put in plugins reside
  • themes – This is the place put in themes reside
  • uploads – This is the place media uploads reside
  • mu-plugins – mu is brief for Must Use with plugins that have to be utilized by the theme positioned right here
  • improve – This is a brief folder utilized by WordPress throughout upgrades to newer variations

Pro-tip: It is price mentioning that the uploads folder is likely one of the folders that sees essentially the most modifications since that is the place all uploaded media, corresponding to pictures and movies reside. As such, it could be price excluding this folder from web site file integrity monitor scans to keep away from false positives. It can also be price noting that this folder is usually configured to not execute any recordsdata and as such, is comparatively protected from assaults.

wp-consists of

The wp-consists of folder comprises a number of core recordsdata which are important to WordPress operations. One of the primary capabilities of this folder is to behave as a useful resource for themes, which discuss with it to have the ability to work. It comprises many of the WordPress core recordsdata and, as such, is kind of massive in measurement. Some notable recordsdata that reside on this listing embody:

  • capabilities.php – This file comprises vital capabilities that help WordPress operations (This capabilities.php is completely different from the capabilities.php file positioned within the theme folder)
  • widgets.php – This file comprises an interface that widgets use to work together with WordPress and thus be capable of work



The .htaccess file is a crucial file that controls how sure sources are accessed. Its principal job is to regulate permalinks; nevertheless, it may be edited to limit entry to particular recordsdata and arrange 301 redirects. Refer to the definitive htaccess and WordPress information for extra data on how this file can be utilized to higher handle and safe your WordPress web site.


Within WordPress’ file directories, you’ll discover fairly a number of index.php recordsdata; particularly, you’ll discover one for each theme put in of their respective directories. This index.php file, nevertheless, sits alone within the root listing, and its major job is to load the lively WordPress theme.


Although WordPress is free, it nonetheless comes with a license. The license known as GNU GPL license, and in a nutshell, it permits you to use WordPress without spending a dime and supplies you with the supply code to edit as you please. The license, nevertheless, binds you to launch any modifications you make to the supply code without spending a dime.


The readme.html file is an HTML file that features useful details about WordPress, together with putting in, updating, and migrating WordPress. It additionally supplies precious details about the system necessities to run WordPress and hyperlinks to sources, help, the license, and some different issues.


The wp-activate.php file comprises the code that confirms a consumer’s activation key is similar one on file because the one despatched to them within the activation electronic mail.


The wp-weblog-header.php does three issues – first it hundreds that WordPress library, then units up the WordPress question earlier than lastly loading the theme template.


The wp-feedback-submit.php file handles remark posting to WordPress whereas stopping duplicate feedback from being posted. Requires wp-load.php to perform.


wp-config.php is an attention-grabbing and important file, one that’s vital to WordPress installations. The config file doesn’t come included in WordPress; as a substitute, it’s created in the course of the set up course of and is personalized particularly for you and your necessities. In a method, it’s similar to a gift.

Its significance is derived from the aim it fulfills. It holds the configuration for database settings, secret keys, the database desk prefix, and absolutely the path to the WordPress listing.


The wp-config-pattern.php file is a pattern file that WordPress makes use of to create your precise configuration file – wp-config.php.


The wp-cron.php file is a relatively attention-grabbing one. Essentially, it schedules duties corresponding to system updates and the publication of scheduled posts by cronjobs.


The wp-hyperlink-opml.php file is used to export hyperlinks from a WordPress web site since these will not be exported when utilizing the WordPress export perform.


The wp-load.php file units the ABSPATH and hundreds the wp-config.php file. ABSPATH stands for ABSolute PATH and primarily converts a filesystem path into an absolute path. WordPress then makes use of these absolute paths to reference required sources.


The wp-login.php file is the web page that customers use to log in to their WordPress account.


The wp-mail.php file will get electronic mail messages from a consumer’s mailbox to be printed as a submit. Requires wp-load.php to perform


The wp-setting.php is an integral a part of the WordPress ecosystem and does fairly a number of issues. It units up frequent variables, fixes any points, and consists of procedural and sophistication libraries. It additionally retains a document of capabilities, lessons, and core content material listing and permits for a number of the configurations in wp-config.php.


The wp-signup.php file is used in the course of the preliminary configuration course of and primarily units up the WordPress setting. Requires the wp-load.php and wp-weblog-header.php recordsdata to perform.


The wp-trackback.php file handles any trackbacks and pingbacks which are despatched to WordPress. Requires wp-load.php to perform.


The xmlrpc.php file provides XML-RPC help to WordPress.

Getting your fingers soiled with the filesystem

Understanding the WordPress filesystem can prevent loads of time and bother because it permits you to entry the guts of WordPress instantly. This can ease each troubleshooting and assist you to harden and secure WordPress installations. The vital factor to recollect is that any modifications executed right here will mirror in your web site, so do proceed with warning.

Before making any modifications, make sure you take a backup and retailer it someplace protected. You also needs to think about putting in a website file changes monitor so that you simply’re alerted each time a file has been modified or deleted. This can go a good distance in serving to you make sure the integrity and security of your web site with out having to undergo prolonged troubleshooting and prognosis procedures.

The submit The WordPress file system appeared first on WP White Security.

*** This is a Security Bloggers Network syndicated weblog from WP White Security authored by Joel Farrugia. Read the unique submit at:

Related Posts