Beginner’s Guide to Understanding WordPress File Structure & Database
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
Under ordinary circumstances, there is no real need to be concerned about WordPress file structure. WordPress has a great wp-admin interface that enables you to focus on running your site without knowing how the engine works under the hood.
However, it can be useful to know the nuts and bolts of your site. This is especially true when you are experiencing an unexpected issue, and all the help talks about modifying a particular WordPress file or resetting a value in the database.
Perhaps you’re not experiencing an issue but are reading up about backups or security. Terms like core files and database, or wp-config.php and wp-uploads, are mentioned frequently in context.
It is immensely helpful to understand these terms to gain a nuanced understanding of the topic and thus make the best decisions possible for your site.
If you have ever had questions like:
- What are core files?
- Where are plugins and themes stored?
- What does the database contain?
- Why is the wp-uploads folder a security concern?
- What are WordPress file and folder structures?
You’re in the right place. In this article, we will take you behind the scenes of your site, so that you can confidently say you understand WordPress file and folder structure.
TL;DR There are two parts to a WordPress site: the files and the database. Both of these are critical to the functioning of your site. If you understand how they work, you will become a power user and thus be able to troubleshoot issues and make good decisions for your site. One of the best decisions you can make is to protect your WordPress site. Install a good security plugin and invest in backups.
Often, we want to make changes to our website, and how-to articles instruct us to go poking around in our site code. If this wasn’t bad enough, using an FTP client or File Manager to have a look at your site files and folders can all seem quite bewildering.
Each site folder and file seems important, and it often is! The dire warnings that say the smallest error could result in a site crash aren’t far off the mark.
That being said, knowledge is power. Understanding WordPress file and directory structure will go a long way in instilling confidence in your ability to make changes to your website, or indeed troubleshoot small problems. In all cases, we strongly recommend you always backup your site before tinkering with it.
Understanding WordPress file and directory structure
WordPress file and folder structure is the engine of your site. The files contain code that powers your site. Since most of it is invisible—as it should be—it can be a little confusing to understand and is akin to looking under the hood of a car.
WordPress root directory
To use WordPress, you must first install it on your server. Most web hosts will do this for you automatically when you first create a web host account. Alternatively, you can download WordPress, and upload it to the server yourself.
An installation means that a fresh installation of all the basic WordPress files are put onto your server. This is the foundation of your site.
Most commonly, the WordPress installation will go into a public_html or public folder. This folder is known as the WordPress root directory, or simply the root, and is where you will then find the WordPress core files and folders. The folder can be called something else entirely, but most often it will be the public_html folder. It is worth knowing which folder is the root, as it is an important location for several site admin tasks, like migration or backups.
The WordPress root directory contains the following files and folders:
WordPress core files and folders
WordPress Core files and folders are those installed during the WordPress installation. These files power everything from the login page and the admin dashboard, to the database connection and managing users. There are 2 core WordPress folders: wp-admin and wp-includes, and several core files.
As the name suggests, this folder manages the entire experience of your WordPress wp-admin dashboard. There are seven folders in the wp-admin folder as follows:
There are lots of files too, the important ones being:
- admin.php – core file that manages the wp-admin dashboard
- index.php – loads pages in response to visitor requests
- install.php – installs WordPress
- plugins.php – controls all the plugins, active or inactive
- themes.php – controls all the installed themes
- users.php – manages users and their permissions
Most of the files are fairly self-explanatory as to their function. Essentially, all the WordPress folders and files within the wp-admin folder centre around the admin.php file, which controls the dashboard and all the functionality within it.
wp-includes contains all the core software for your WordPress site. You’ll see this referred to in a variety of ways: packages, code libraries, and WordPress source code. The nomenclature isn’t important here, but the code is critical.
Therefore, it is inadvisable to modify anything in the wp-includes directory ever, because it can and will break your site. Plus, there is no good reason to do so. Rarely will you come across a tutorial that advises you to alter any of the code contained in the wp-includes folder.
The one possible exception to this rule is the functions.php file. The functions.php file contains all the code for all the functions on your site. It is a special case because it works in tandem with the functions.php file that exists in your active theme as well. Typically, things like Google Analytics code and other tracker code are added to the theme’s functions.php file, but are liable to get lost if the theme is changed. That’s why you may come across advice to add the tracking code to the core functions.php file instead. However, we recommend against changing anything in the core files. You can always copy code from an old theme to a new theme easily, without endangering your entire site.
We strongly recommend against making changes to WordPress core files and folders, because they control your site. Even small errors can lead to your site crashing completely. If at all you absolutely must make changes, please make sure to take a full site backup just before. In any event, every time WordPress is updated, these files are overwritten, and any changes you do make will be lost.
WordPress core files
In the root folder, you will also see several files. While all of them are important, some of them are worth noting.
An index.php file is responsible for showing your site in response to a visitor request. It initialises and loads the right core files when a page is requested. This concept is better understood by seeing what happens when there isn’t an index file.
If your root folder didn’t have an index file, when someone tries to visit your site, the contents of the root folder will be displayed on the browser. Apart from the terrible unintended user experience, this is also a security issue.
The index file is a directory-level file and will be visible in most folders and sub-folders. For instance, it also exists in the wp-content folder. If that file was missing, the contents of the folder would be visible. As it stands, a blank white screen is shown instead.
Apart from the one in the root folder, the index.php file is often a blank file with a single-line comment: “Silence is golden.”
WordPress configuration files
There is a special subset of core files known as configuration files. Configuration files are the only core files that you can reasonably expect to edit. That is not to say that they aren’t equally important as the other core files, however, there is certain site functionality that you can only toggle from within a configuration file.
Ideally, you should use a plugin wherever possible to make these changes. For instance, it is vastly better and easier to use a plugin to implement geo-blocking, rather than modifying the .htaccess file. However, if you are creating a multisite, then you would need to add code to the configuration files manually during the network setup.
The wp-config file is used to store database connection info, security keys and salts, and the database prefix. It is often targeted by hackers for this reason, as the database credentials are stored in cleartext, as are the security keys and salts.
Security keys and salts are an encryption mechanism used by WordPress to authenticate logged-in users securely. We have a step-by-step guide on how to change your security keys and salts, in case you think that a user account has been compromised.
The wp-config file also contains the built-in WordPress debugging feature. By default, the debugging feature is disabled. Once enabled from the wp-config file, it will show all errors, warnings, and notices. This is different from typical behaviour which may only show critical errors or fatal errors.
In a lot of security articles, you will see advice to move the wp-config file to another location, out of the root. But this is of limited value, because every WordPress site has a wp-config file somewhere in the installation, and a determined hacker with requisite access will find it eventually. A better way to secure your WordPress site is to install a security plugin; preferably one with a good firewall.
The .htaccess file is another important configuration file that is used to manage site links. Things like permalink structure, URL redirects, IP address blocking, and so on are managed by the .htaccess file. For instance, if you ever want to implement geoblocking manually, you will need to modify the .htaccess file, although we definitely don’t recommend it. In addition to links, the .htaccess file can also be used to password-protect your site.
Both the .htaccess and the wp-config files are generated on WordPress installation, and thus would not be visible in a downloaded installation package. Even once installed, the .htaccess file is hidden. To be able to see it, enable the option to view hidden files on your FTP client.
The .htaccess file is a configuration file specifically for Apache web servers. Some web hosts use nginx instead of Apache servers, so there will be no .htaccess file for your site altogether.
Plugin and theme files and folders are, as the names suggest, installed with plugins and themes. For instance, if you install a contact form plugin, the code for that plugin will be in these files. Similarly, with the theme; the code for displaying images and fonts are in these files.
All plugins and themes are generally found in the wp-content folder, unless in special circumstances. For example, a firewall plugin would be located at the root level, so it loads before the rest of the site. This concept is known as load order, which is often seen in relation to WordPress security.
Each plugin or theme will mostly have its own folder with the files it needs to function correctly. In fact, plugin and theme installation files can be uploaded via FTP directly to the wp-content folder and then unzipped there.
Plugins have enormous variety, so rarely conform to a template. Themes, on the other hand, usually affect the same elements of a site, so they can look quite similar at a code level.
For instance, every theme has a functions.php file. We briefly referred to this while speaking about the functions.php file in the wp-includes folder. The theme functions.php file contains all the code needed to execute the theme. It also often has the extra code needed to run analytics and trackers on your site. When changing over to a new theme, you need to backup the functions.php file to make sure that you don’t lose any of that customisation.
Interestingly, although a WordPress site will work without a single plugin—albeit be very boring—it cannot function without a theme. The active theme is indicated in a required field in the database and has to be available for the site to load at all.
The wp-uploads folder is where the files that visitors upload to the site are stored. It correlates directly to everything visible in the site’s media library. The files are stored in yearly and then monthly folders for retrieval.
The wp-uploads folder is universally accessible by default, so it often poses a security risk. This is why the folder shouldn’t have any executable files ever.
It is important to remember that we are talking about the boilerplate installation of WordPress. Since customisation of plugins, themes, and of WordPress itself can vary significantly from site to site, this is by no means an exhaustive list. The WordPress codex has a full list of WordPress files that come with the basic installation.
You may or may not see some of the files in the folders as described above, depending on how the installation is configured. Alternatively, you may not see the .htaccess file in your FTP client, because it is a hidden file. You will need to enable that setting to see it.
Understanding WordPress database tables
A database is a system used to store, organize, and retrieve data to run your website. Along with the files, it forms the other crucial part of your site. The WordPress database is used to store user-generated content like posts, pages, comments, etc. in tables.
Note: this is often the reason why advice on how to backup your WordPress site often suggests you backup only the database, assuming you can download everything else. This is not good practice, as you should always backup your entire site.
WordPress uses a MySQL database to store site information in tables, SQL commands to manipulate the data within, and the programming language PHP to communicate between the files and database. Therefore, when you install WordPress for the first time, during the installation you will need to create a MySQL user for the database. And, as we will see later, you can use an interface like phpMyAdmin or Adminer to access your site’s database.
Each site has a single associated database, and each database consists of multiple tables. The core WordPress tables are:
These tables are installed with WordPress. Over the course of time, as the site grows and plugins are added, the database grows with more tables and therefore more data.
The important thing to remember is that the tables often work in tandem with each other. That means data can be drawn from different tables. For instance, comments on posts are stored in the wp_comments table, but wp_commentmeta also is important for retrieval. This is especially true for WooCommerce sites, where order and product data is stored across multiple tables.
We have a full article with more information on how the WordPress database functions.
How to access the WordPress files, directories, and database
Your WordPress site is stored on a web host server, which is essentially a remote computer. To access the WordPress file structure and database, you need to connect to this computer. There are several ways to do this though. Each method has its pros and cons, so it is worth reading about all the methods and deciding which one works best for you.
The most common method talked about in WordPress tutorials is to use cPanel. cPanel is a control panel software offered by most web hosts. It has a variety of tools for different tasks. The ones that we are most interested in for the purposes of viewing WordPress files and the database are the File Manager and phpMyAdmin respectively.
To access cPanel on your site, enter yourdomain.com in the URL bar, followed by /cpanel. Login with cPanel credentials, which are different from your wp-admin ones.
Under the Files section, you will find an icon for File Manager.
File Manager is a bit like your computer’s file explorer. You will see WordPress folders and files in a similar interface. To edit any of the files, you need to download them, edit them on your local machine, and then reupload them to the correct folder, after deleting the existing file.
To access the database, look for the phpMyAdmin icon under the Databases section on cPanel.
phpMyAdmin is separate from cPanel, so the icon is merely a shortcut to access it. If you aren’t logged in automatically, you can find the database login credentials in the wp-config.php file.
Under the Databases tab or from the left side panel, find the database that is associated with your site if there is more than one database.
Clicking on your database will open it to display all the tables within. Further, clicking on a table name will display the rows and values.
Some web hosts don’t provide cPanel, and may have an alternative control panel software like Plesk or Webmin. Others may not have any options at all, in which case you would need to use FTP to access your site files.
File Transfer Protocol or FTP is an alternative to HTTP. We are all familiar with HTTP, which is a protocol used to transfer information over the internet. They work in different ways and are used interchangeably to access data on a server.
FTP is different from HTTP in one key way, which is that it requires authentication. That means you have to provide login credentials to be able to access the server.
To use FTP or SFTP, which is more secure, you need to download and install a client, like FileZilla. For the purposes of this article though, we are going to use Cyberduck.
First, locate your FTP credentials on your web host dashboard.
Next, create a new connection on the FTP client, and plug in the credentials.
Once the connection has been established, you can view the WordPress files and folders on the server.
If your web host doesn’t have cPanel access, they may not use phpMyAdmin either. However, most web hosts do provide a link to the website database from the dashboard.
In this example, Cloudways has a button to Launch Database Manager from the website dashboard. Cloudways uses Adminer instead of phpMyAdmin.
On the other hand, Dreamhost does, and you can find a Manage link on the website panel.
Short for ‘secure shell’, SSH is a way to connect securely to a remote computer over potentially insecure networks. In the case of WordPress, you can use it to access files on your site server from anywhere else.
SSH uses a command-line interface to interact with and control the site files and folders instead of a browser. Like with FTP, you may need a client to use SSH, although most systems have the ability built-in. We used the Terminal on macOS to open a connection to our web server.
Similar to FTP again, you will need credentials to log in: server address, username, and password. You may or may not need the port number. To connect to your server with SSH, type in ssh username@serveraddress. You will be prompted for a password, and once that is in, you will be able to interact with your site files.
With SSH, you need to have some familiarity with the command-line interface or be prepared to look through a ton of documentation. This list of commands can help you get started, although it is not comprehensive.
Note: Using the command-line interface, you can also leverage WP-CLI commands. WP-CLI is a tool to interact specifically with WordPress site files and its database, and thus has commands that are specific to WordPress.
If you want to avoid cPanel and FTP altogether, you can also install a plugin to view and interact with WordPress files and folders.
The advantage of using a plugin is that you can see the files directly on your wp-admin dashboard, without needing to log in separately. The disadvantage is that if your site crashes for any reason and you want to fix an errant plugin or theme, you won’t be able to use these plugins to do so. However, it is still a viable alternative in most cases.
We tried out WP File Manager, and it was a breeze to use. Find the plugin from the plugins directory, install it, and you’re done.
The dashboard clearly shows all the files of your site, right from wp-admin.
One word of caution here is that searching for ‘file manager’ plugins also lists results for media library file managers. Those plugins serve an entirely different purpose.
Similarly, you can install a plugin to view the site database as well.
We tried Database Admin and saw that we could select our site database without logging in.
The interface is very basic though, and it helps to have a little understanding of SQL to navigate more effectively.
We also tried WP Adminer as an alternative.
It was very similar to accessing the database directly. The plugin appears as a shortcut in the Tools menu.
Why you should learn about WordPress file and directory structure
Your site is working, and working well at that. So why should you spend time learning about WordPress file structure? Apart from the simple reason of understanding how your site works, there are several good reasons:
- Solve minor issues on your own steam, like disabling a plugin or theme that is acting up.
- In case you face a major issue, it is important to be able to distinguish between good and bad advice. There is a ton of poor, although well-meaning advice, especially with respect to WordPress security. A little knowledge can help you ask the right questions when needed, and discard poor advice immediately.
- Understanding the file structure of your site makes you a power user. You may be able to accomplish a great deal more than previously. It is a stepping stone to learning WordPress development as well, should you be so inclined. For instance, suppose you need to add redirects to your site, you can do so by modifying the .htaccess file without needing developer intervention.
- It will also prevent you from deleting or changing critical files or database values, knowing that this will cause your site to crash.
- Setting file permissions will become easier once you know the interplay between different files, and which users need access to them. At first glance, the strongest permissions and tightest security rules seem like the best option. This is not true at all. Remember that files need to communicate with each other, and therefore need appropriate permissions to do so.
If you are reading this article to figure out which files to backup, then the answer is everything. Always take complete backups, and restore partially as and when required.
How to protect WordPress files, folders, and database from malware
Now that you have a good understanding of WordPress structure, both inside and out, you can take steps to protect it from hackers. In WordPress security, prevention is always better than cure, and doing the following will keep out the majority of malware attacks.
- Install MalCare, a top-notch security plugin with an integrated firewall
- Invest in site backups
- Keep WordPress, plugins, and themes updated as far as possible
- Use strong passwords, and a password manager to remember them
- Implement a good user policy
- Never use nulled software
We have compiled all our security expertise into actionable advice that you can use to protect your site in minutes.
Now that you have a working knowledge of your site, it is sensible to take a backup every time you want to change something. This is your safety net in case anything goes awry and you have to restore in a hurry. BlogVault has the best WordPress backups and comes with a whole host of other great features to manage your site effectively.
What is WordPress file structure?
WordPress file structure is the site’s organisational system. WordPress sites use files that contain code to run and interact with a database, which stores data.
How are WordPress files organised?
WordPress files are organised in a hierarchical folder structure. The WordPress installation is in a root directory, generally public_html or public, and everything else comes within it. There are 3 core folders in the WordPress root directory: wp-content, wp-includes, and wp-admin.
What should be in the wp-includes folder?
The wp-includes folder contains WordPress core packages and code that are installed with WordPress. The wp-includes folder and its constituent files remain constant. If you suspect there are changes, you can download a fresh installation of WordPress and compare those files with what is on your site.
Where are WordPress files located?
WordPress files are installed in a root directory on your site server. The root directory is often named public_html or public. All WordPress files are stored within the root directory in a hierarchical system of files and folders.
You may also like
When it comes to managing a WordPress website, WordPress logs are an indispensable diagnostic tool. They provide a comprehensive record of website activities in real-time and help track a wide…
As new site owners, navigating your way through the world of website security can be daunting. A pervasive notion across numerous articles online is that changing your database prefix is…
When it comes to troubleshooting issues on your WordPress site, WordPress error logs are a godsend. Logs are snapshots about issues on your site, showing verbose error messages so you…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.