WP-Content: A Beginner’s Guide To WordPress’ Most Important Directory


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

WP content uploads

Are you curious about where the content of your website is stored? Or have you heard of wp-content on your WordPress site and want to learn more about it?

A WordPress website is made up of many files and folders. wp-content is one of the key folders as it contains your website’s content, and the themes and plugins installed on your site. If this folder is accidentally deleted, your website will crash.

At MalCare, we’ve seen many cases where WordPress websites crashed because a hacker has meddled with the wp-content. Since many website owners never visit the backend of WordPress and check the wp-content, it makes it an ideal spot for hackers to inject malware. They also hide backdoors that give them a secret entry point into your site.

Learning about what hackers can do the wp-content repository can be alarming. But don’t worry!

In this guide, we’ve simplified everything you need to know about the wp-content. You’ll find out what the folder does and how to use it. Next, you’ll learn how to hide it or prevent it from being accessed by unauthorized users.

TL;DR: The wp-content  is an integral part of your WordPress site. To ensure it is protected, we recommend installing a WordPress Security Plugin (MalCare). The plugin will scan and protect your WordPress files and folders from hackers. It will also automatically take backups of your site regularly and store them safely.

What Is The WP-content Folder?

As we mentioned in the introduction, a WordPress website is made of many files and directories. It is created by default at the time of building your website and is one of the most crucial folders of your website.

Every image that you upload, every theme and plugin that you install on your website is stored in this folder (more details in the next section). In other words, any files that don’t get stored in the database are stored here. If the folder gets deleted, your website will crash and you will need to rebuild it from scratch.

Generally, website owners don’t use this folder. But certain occasions may arise when you need to access it.

For instance, we have installed a plugin on our WordPress website. But the plugin caused the site to malfunction as it was not compatible with the version of WordPress we were running. We couldn’t disable it on the WordPress dashboard. So we had to go to the wp-content folder to delete the plugin in order to access our site.

Recommend read: Beginner’s Guide to Understanding WordPress File Structure & Database

How To Access The WP-Content Folder

To access the wp-content folder, you need to access the WordPress root directory. Here’s what to do:

1. Log into your web hosting account (e.g. WP Engine).

2. Access cPanel and open File Manager.

File Manager

3. Here, you will see a folder named ‘public_html’. This folder resides on your web server and is made up of WordPress files and sub-folders that all contribute to the functioning and appearance of your website.

4. Inside the public_html folder, you will find three main sub-folders:

  1. wp-admin – Contains administrative files related to who can access your WordPress panel and what permissions they are granted.
  2. wp-includes – Contains files related to rules, hierarchies, and settings of your WordPress site.
  3. wp-content – Contains your website’s themes and plugins files and media uploads (in wp content / uploads).
wp-content uploads folder in public_html

Today we will focus on the wp-content folder and learn more about its role on your website. The wp-content folder has many more sub-folders and files which we’ll discuss in the next section.

What Does The Wp-content Contain?

The wp-content folder on a standard WordPress site has three more subfolders – plugins, themes, and uploads.

wp-content plugins themes and uploads

However, as WordPress sites expand and add more plugins and themes, more folders may be created. To simplify this, we’ve broken down the directory structure of this section into four parts:

  1. Plugins Folder
  2. Themes Folder
  3. Uploads Folder
  4. Other Common Folders In Wp-content

1. Plugins Folder

On your WordPress website, you have the ability to install plugins. All the plugins you install on your WordPress site (both active and inactive) are stored in this folder. If you open any of the folders, you’d find rules and configuration files of the plugins installed. Tampering with this folder could cause the plugins to misbehave.

plugins in wp-content folder

Knowing how to access this folder can come in handy if you are unable to install a plugin on your dashboard (admin panel). You can copy the plugin’s zip file and paste it into this folder. Next, you have to extract the zip file to activate the plugin on your site.

Similarly, you can use the folder to delete or disable a plugin. Sometimes, a plugin might be causing a compatibility issue which causes the website to malfunction. If you are unable to disable the plugin from the dashboard, you can access this folder and disable it manually.

We do not recommend using this manual method as making changes directly to this WordPress folder is very risky. A slight misstep can render your site broken. Use this method only when you have no other choice.


2. Themes Folder

Similar to the plugins folder, this one houses all the themes on your site. You can use it the same way you would use the plugins folder.

When you install a theme on your WordPress dashboard, it would appear in this folder.

For instance, we installed the Astra theme on our site:

themes folder

Next, we checked the themes folder and a sub-folder named ‘astra’ was automatically created:

themes folder in wp-content

You can also copy themes into this folder to make it available on your dashboard. In the same way, you can also delete themes here.


3. Uploads Folder

As the name suggests, everything that is uploaded to your site is stored in this folder. This includes images, videos, and any other files such as PDF documents, MS Word docs, and GIFs.

By default, these media files are stored in subfolders according to the year and month they were added to the site. You can think of it as a media library.

wp content uploads folder

This is the default setup of a wp-content folder of a WordPress site. However, as WordPress sites expand and develop, you can often find additional folders here. We have briefly entailed them below:


4. Other Common Folders Inside Wp-content

There are four additional folders that are often created in the wp-content folder.

other folders in wp-content folder



a) mu-plugins

mu-plugins are must-use plugins. These plugins are critical to the functioning of your WordPress site and are deemed as must use. For example, a plugin may come bundled with a theme. If you disable the plugin, it could break the theme and therefore, break your website. So developers tag them as mu-plugins so that you don’t disable them unintentionally. If such plugins exist on your site, they are stored in this folder.


b) Languages

WordPress can be used to create websites in many different languages. If you choose to use any language other than English or multiple languages, WordPress will save the language files in this folder.


c) Upgrade

This is a temporary folder created by WordPress when you update your site to a new version.


d) Specific Plugins

Sometimes plugins create their own directories on your website. This means they create their own folders within the wp-content folder. For example, the WP Super Cache plugin creates its own folder called ‘cache.’

cache folder

You can see that the wp-content repository contains vital data on your website. Therefore, it should always be protected.

In the next section, we discuss the measures you can take to safeguard this folder from being tampered with or deleted by anyone.

How To Protect WP-content Or The Uploads Folder?

There are three measures you need to take to protect your wp-content and uploads folder:

  1. Take a backup of these folders
  2. Change the name of your wp-content folder
  3. Block the folder from showing on your website’s index

1. Backup Your WP-Content Repository

A backup is a copy of your website that can be used to restore your site to normal if anything were to go wrong with it like if you accidentally delete any file or hackers tamper with the folder.

You can take a backup using the BlogVault backup plugin. It’s easy to install and it will automatically take a complete backup of your WordPress site in under a few minutes. We recommend BlogVault because it’s guaranteed to work when you restore it.

You can also use the plugin to selectively restore your wp-content.


2. Change The Name Of Your Wp-content 

As we know, by default, the folder that stores your content, themes, and plugins are named wp-content. This name is common across all WordPress sites which makes it easy for anyone to identify and locate the folder. This means if hackers find a way to break into your site they will be able to find this folder easily because they know it is named ‘wp-content’. You can protect this folder by changing its name.

There are two ways to do this – using a plugin or manually.

A. Using a Plugin (Safe)

We recommend doing this by using a plugin called WP Hide & Security Enhancer. It provides you with a simple way of hiding not just your wp-content, but other important WordPress files as well.

changing wp-content path

This plugin is great because it explains the process every step of the way. It’s easy for both beginners and pros to use. In addition to wp-content, you can also implement other protective measures on your site such as protecting your comments, authors, uploads, and more!

B. Manually (Not Recommended)

To rename your wp-content file manually, you need to access the folder on your web server and make changes to it. We strongly do not recommend using this method as the slightest mistake could break your site.

Step 1: Access your web hosting account. Go to cPanel, and access your website’s File Manager.

Step 2: Navigate to the wp-content folder, right-click on it, and select ‘Rename’.

renaming wp-content folder

Step 3: Rename the folder to any other name. Ensure it is unique and not a name that is already in use on your site.

3. Hide The WP-Contents Folder

There are times hackers request for your wp-content repository using malicious code with a URL in it. This folder’s URL path is usually yourdomain.com/wp-content or yourdomain.com/public_html/wp-content.

This URL path isn’t used in the address bar of your browser. Rather, it is used in the coding of your site. Hackers write malicious code to fetch the data of this folder or to inject their own malicious code.

You can block outsiders from accessing this URL path. Only users who are logged into your common WordPress dashboard will have access to it. To do this, you can use the same plugin we mentioned above or you can do it manually.

A. Using a Plugin (Safe)

Using WP Hide & Security Enhancer, you can block the wp-content URL path with two clicks.

blocking url

Simply navigate to the option ‘Block wp-content URL’ and select yes. Once you save changes, the plugin will block your wp-content URL path.

B. Manually (Not Recommended)

This method requires adding code into a file called the .htaccess file. Modifying your WordPress files manually is very risky. A small error can cause your site to malfunction or even crash. That said if you still want to go ahead and give it a try, here are the steps:

Step 1: Access your web hosting account. Go to cPanel, and access your website’s File Manager.

Step 2: Navigate to the wp-content folder and create a new file and name it .htacess file.

creating new file

Step 3: Right-click this file and choose ‘Edit’. Paste the following code and save changes.

Order Allow, Deny

Deny from all

Allow from all

In case you cannot see your .htaccess file after creating it, go to Settings and select ‘Show Hidden Files’.

Step 4: Your wp-contents folder will be hidden. If you try to access your file using https://www.yourdomain.com/wp-contents, you should see an error message:

internal server error 500

With that, we come to an end on discussing the wp-content and uploads folder on your WordPress site. We are confident that you will now be fully aware of what this folder does, where to find it, and how to protect it now.

Final Thoughts

The wp-content folder is an integral part of your WordPress site. This makes it so important to take WordPress security measures to ensure it is protected and backed up.

Apart from the wp-content, there are other integral files and folders that need to be safeguarded. We recommend protecting not just one or two elements on your site, but your entire site.

To do this, we recommend installing the MalCare Security Plugin. It will scan your site regularly for malware and alert you if there’s anything suspicious on your site. You can also take a complete backup of your site regularly and store it in a safe offsite location.

Protect Your WordPress Site With MalCare!


You may also like

WordPress Limit Login Attempts: How to do it?
WordPress Limit Login Attempts: How to do it?

You’ve probably noticed a lot of failed login attempts on your WordPress site. You probably suspect that your site is facing a brute-force login attack by bots. Brute force attacks…

How To Add WordPress Passwordless Login To Your Site?
How To Add WordPress Passwordless Login To Your Site?

We understand that password vulnerabilities are an important part of WordPress login security. In fact, we recognize that as an admin, you’re tasked with managing a multitude of passwords. Apart…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.