WordPress is, at its core, a web application, and just like every other web application, it requires and uses a labyrinth of folders and files to work. These files and folders include everything from access controls and WordPress’ core code to the plugins, themes, media you upload, and everything in between.
Posts and pages are not stored in the file system. These are saved in the SQL database in a table titled wp_posts. Keep this in mind when you’re doing WordPress backups.
Regardless of where your WordPress website is installed, everything required for the website to run, including customizations, resides in this folder structure. This structure is the same across all installations and, contrary to popular belief, not that difficult to understand and navigate.
In fact, it’s as simple as navigating folders and files on your computer. Knowing your way around all of the folders and files that make up WordPress has many benefits. It can not only help you make custom changes but also troubleshoot issues as well as keep your website secure. Speaking of security, understanding how the WordPress file system works, can also help you ensure you have no exposed backup and unreferenced files in dangerous places.
To help you make the most out of WordPress, this article will take a deep look into how these folders and files work, including how to access them and what you can find in each one. If you’re stuck on how to access these files, our guide to accessing WordPress files will help you sail straight through the process.
The importance of understanding the WordPress file system
There are a number of good reasons why familiarizing yourself with the WordPress file system is a good idea. From troubleshooting and maintenance to general knowledge, understanding how something works is always a good thing.
Knowing where the WordPress media library folders are located, for example, can help you upload pictures should the WordPress file upload feature fail to work. You might also need to edit the WordPress config file, do a manual backup, or even look for exposed backup and unreferenced files – all things you can easily do from within the WordPress file system.
There are several different ways you can access the WordPress file system, with FTP generally being something of the golden standard. While you might not need to access the filesystem daily, it’s always good practice to know how to access it and be able to navigate your way around with ease.
Let’s get started.
The root directory
The root directory is the top-most level folder which contains all of the subdirectories and files that make up WordPress. If you have a shared or managed WordPress hosting account, you will automatically find yourself in the root folder as soon as you connect to the server.
On the other hand, if you’re running WordPress on a dedicated server, you will need to navigate to the root directory yourself. The location of your website’s root directory on a dedicated server depends on the Operating System and web server that you are using.
When the server is being configured, administrators can always set up custom directories, so if you cannot find the folder in its default location. Make sure to consult with the server administrator for the custom location address.
By default, the public folder of the most popular web server are:
Windows (IIS) C:\Inetpub\wwwroot\wordpress
Windows (XAMPP) C:\xampp\htdocs\wordpress
Linux (Apache2) /var/www/html/
Linux (Nginx) /var/www/html
Once you access the root folder, you’ll be met with a number of folders and files. These folders and files make up everything you see on WordPress, bar what gets saved in the database.
In this section, we will go through each and every folder and file to see what role each one plays in a typical WordPress installation.
The wp-admin folder contains several files and sub-directories, all of which work together to make the WordPress administration back-end work. You can very easily see this folder at work when you log in to your WordPress website back-end. Here is how it works –
When you access your administration console back-end, you typically go to yourdomain.com/wp-admin. You might have noticed that the last bit of that URL – ‘wp-admin’ is the folder’s name. As such, when you log in to your WordPress, what you’re effectively doing is accessing that folder through a browser.
Within this folder, we find some interesting and essential files. These files are considered core files as they make WordPress work. Some notable examples include:
- admin.php – The primary driver that makes wp-admin work, including checking permissions and connecting to the WordPress MySQL database
- update.php – This file contains the code through which your WordPress website checks for updates and also runs the update whenever a new version comes out
The wp-content folder is the one folder that sees the most action out of all WordPress folders. It includes several sub-directories, including:
- plugins – This is where installed plugins reside
- themes – This is where installed themes reside
- uploads – This is where media uploads reside
- mu-plugins – mu is short for Must Use with plugins that must be used by the theme located here
- upgrade – This is a temporary folder used by WordPress during upgrades to newer versions
Pro-tip: It is worth mentioning that the uploads folder is one of the folders that sees the most changes since this is where all uploaded media, such as images and videos reside. As such, it might be worth excluding this folder from website file integrity monitor scans to avoid false positives. It is also worth noting that this folder is typically configured not to execute any files and as such, is relatively safe from attacks.
The wp-includes folder contains several core files that are essential to WordPress operations. One of the main functions of this folder is to act as a resource for themes, which refer to it to be able to work. It contains most of the WordPress core files and, as such, is quite large in size. Some notable files that reside in this directory include:
- functions.php – This file contains important functions that support WordPress operations (This functions.php is different from the functions.php file located in the theme folder)
- widgets.php – This file contains an interface that widgets use to interact with WordPress and thus be able to work
The .htaccess file is an important file that controls how certain resources are accessed. Its main job is to control permalinks; however, it can be edited to restrict access to specific files and set up 301 redirects. Refer to the definitive htaccess and WordPress guide for more information on how this file can be used to better manage and secure your WordPress website.
Within WordPress’ file directories, you’ll find quite a few index.php files; specifically, you’ll find one for every theme installed in their respective directories. This index.php file, however, sits alone in the root directory, and its primary job is to load the active WordPress theme.
Although WordPress is free, it still comes with a license. The license is called GNU GPL license, and in a nutshell, it allows you to use WordPress for free and provides you with the source code to edit as you please. The license, however, binds you to release any modifications you make to the source code for free.
The readme.html file is an HTML file that includes helpful information about WordPress, including installing, updating, and migrating WordPress. It also provides valuable information about the system requirements to run WordPress and links to resources, support, the license, and a few other things.
The wp-activate.php file contains the code that confirms a user’s activation key is the same one on file as the one sent to them in the activation email.
The wp-blog-header.php does three things – first it loads that WordPress library, then sets up the WordPress query before finally loading the theme template.
The wp-comments-post.php file handles comment posting to WordPress while preventing duplicate comments from being posted. Requires wp-load.php to function.
wp-config.php is an interesting and vital file, one that is critical to WordPress installations. The config file does not come included in WordPress; instead, it is created during the installation process and is customized specifically for you and your requirements. In a way, it’s just like a present.
Its importance is derived from the purpose it fulfills. It holds the configuration for database settings, secret keys, the database table prefix, and the absolute path to the WordPress directory.
The wp-config-sample.php file is a sample file that WordPress uses to create your actual configuration file – wp-config.php.
The wp-cron.php file is a rather interesting one. Essentially, it schedules tasks such as system updates and the publication of scheduled posts through cronjobs.
The wp-link-opml.php file is used to export links from a WordPress website since these are not exported when using the WordPress export function.
The wp-load.php file sets the ABSPATH and loads the wp-config.php file. ABSPATH stands for ABSolute PATH and essentially converts a filesystem path into an absolute path. WordPress then uses these absolute paths to reference required resources.
The wp-login.php file is the page that users use to log in to their WordPress account.
The wp-mail.php file gets email messages from a user’s mailbox to be published as a post. Requires wp-load.php to function
The wp-setting.php is an integral part of the WordPress ecosystem and does quite a few things. It sets up common variables, fixes any issues, and includes procedural and class libraries. It also keeps a record of functions, classes, and core content directory and allows for some of the configurations in wp-config.php.
The wp-signup.php file is used during the initial configuration process and essentially sets up the WordPress environment. Requires the wp-load.php and wp-blog-header.php files to function.
The wp-trackback.php file handles any trackbacks and pingbacks that are sent to WordPress. Requires wp-load.php to function.
The xmlrpc.php file adds XML-RPC support to WordPress.
Getting your hands dirty with the filesystem
Understanding the WordPress filesystem can save you a lot of time and trouble as it allows you to access the heart of WordPress directly. This can ease both troubleshooting and help you harden and secure WordPress installations. The important thing to remember is that any changes done here will reflect on your website, so do proceed with caution.
Before making any changes, be sure to take a backup and store it somewhere safe. You should also consider installing a website file changes monitor so that you’re alerted whenever a file has been changed or deleted. This can go a long way in helping you ensure the integrity and safety of your website without having to go through lengthy troubleshooting and diagnosis procedures.