WordPress is a platform that is known for its user-friendliness and accessibility, even for those without a technical background. Many users enjoy WordPress without ever needing to delve into coding. 

However, there are times when you might need to peek behind the curtain and interact with the files that power your site. 

This article is your guide through the WordPress file structure, offering insights on how and why to access and edit these files to make the most out of your website.

A quick guide to the WordPress file structure

WordPress, the leading Content Management System (CMS), has a well-organised file structure that is important for web developers and administrators to understand. It’s like the blueprint or instruction manual servers use to build and display your website. This structure consists of a series of files and directories, each containing code and instructions dictating how your site looks, operates, and interacts with users and the server.

The file structure of WordPress is hierarchical and well-organised, separating core functions from user-added content. This separation makes it simpler for you to manage your site and run updates without affecting the core operations of your website.

The core WordPress files reside in the root directory, often labelled as public, public_html, www, or htdocs. This is the top-level directory on your web server where WordPress is installed, housing all the files that bring your website to life on the internet.

Within the root directory, there are three primary sub-directories::


This directory is where the customisation of your WordPress site happens. Each plugin or theme you install adds a new folder in the plugins or themes subdirectory with its own set of files, like PHP scripts, JavaScript files, and CSS stylesheets. 

This modular approach means you can add or remove functionality from your site by activating or deactivating plugins. The wp-content folder is also where all the media files you upload via the WordPress media uploader are stored, usually organised into folders by year and month. It includes images, videos, PDFs, and any other media file you might upload. This is also where you’ll find the files necessary to forceoff plugin-enforced protections, such as if you find yourself locked out of your site by mistake


Much like a well-stocked library, the wp-includes folder harbours WordPress’s core PHP functions and classes. It is a compiled assortment of vital WordPress functions for tasks ranging from database manipulation to template rendering. 

This directory is not meant for direct modification by users or developers. Altering these files can break your site’s functionality and leave it vulnerable to to security issues.


This directory contains the PHP files and scripts that generate the WordPress dashboard. This is where you, as a site administrator, will spend a lot of time managing various aspects of your site, like creating posts, pages, managing comments, and general site settings. 

For example, there’s a file for handling the appearance section, another for plugins, and so on. While it’s technically possible to modify these files for customization, doing so is risky. Changes here can lead to security vulnerabilities or break the admin panel, making your site unmanageable. It’s generally advised not to modify files in this directory.

On top of these directories, an assortment of individual core files sit within the root directory, such as:

  • wp-config.php: It contains the necessary information to connect WordPress to your database, including the database name, username, password, and host. It also includes unique authentication keys and salts, which are important for securing your WordPress site, as they ensure that user data, like cookies and passwords, are encrypted.  
  • .htaccess (on Apache servers): It handles the permalink structure on your site and the site optimisation, such as caching. 
  • index.php: This is the first file that gets loaded when someone visits your WordPress site.

Depending on your site configurations, other common WordPress directories might exist, for example: 

  • Custom directories or files added by specific plugins or themes.
  • Security-enhancement files or directories.
  • Custom scripts or additional configuration files.

It’s very important to remember that you should never tinker with the majority of these files, as any small change can stop your site from functioning. However, if you’re trying to learn how to work with your WordPress directory, you can start by learning how to access it. 

Shield Security PRO Call-To-Action: Purchase

How to access your WordPress site directory

Depending on your level of technical skill, there are several tools at your disposal:

Using your host’s file manager (like cPanel)

cPanel is a widely used web hosting control panel employed by many WordPress hosts. It provides an accessible interface to manage your website files.

  1. Log into your cPanel account. If you don’t know your cPanel credentials, contact your hosting provider for assistance.
  2. In the cPanel interface, look for the Files section and click on File Manager, or similar labels.
  3. You will be presented with a list of files, among which is your WordPress site root directory: public or public_html. Clicking on this directory will open up your WordPress files.

Using an FTP Client

File Transfer Protocol (FTP) enables you to transfer files between your personal computer and your web server. Using an FTP client such as FileZilla, Cyberduck, or WinSCP, you can access and interact directly with your server files.

  1. Log into your web hosting account and seek out your FTP account information. Typically, you’ll need your FTP username, password, server address, and, occasionally, a port number.
  2. Open your chosen FTP client and set up a new connection or site using the FTP details provided by your hosting provider.
  3. Once connected, you’ll see your web server’s file structure. Look for the directory where WordPress is installed to gain access to your WordPress files.
  4. Now, you can handle your files – download, upload, or edit, as required. However, approach any changes with caution, as they can potentially alter your site’s functionality.

Using SSH (for advanced WordPress users)

If you are comfortable with using the command line, then SSH (Secure Shell) provides an effective option. SSH enables secure and efficient file management through encrypted remote operations.

  1. Obtain your SSH credentials from your hosting provider; these may or may not be identical to your FTP details.
  2. Using a terminal program, like PuTTY for Windows or the built-in terminal for macOS/Linux, connect to your server via SSH.
  3. Deploy command-line tools to navigate and manipulate your files effectively.

Regardless of the method chosen to access your WordPress file directory, be very careful to avoid unintended performance disruptions. 

Which core files should (and shouldn’t) you touch?

Messing with WordPress core files is like fine-tuning your car’s engine without any mechanical knowledge; the potential damage can be extensive and even irreversible. But what harm could you unknowingly inflict?

Imagine unintentionally breaking your site, leaving it an open field for cyber-attacks, or encountering compatibility issues during updates. Not an ideal situation, right?

There are certain ways to make changes safely, for example, by creating a child theme. These are separate themes that adopt the functionality of the main, or parent, theme. This method allows you to safely customise parts of your website without touching or risking the core functions. 

The easier option for this scenario is just using plugins or theme functions that safely make changes to your site. 

Other situations when you might need to make minor changes include: 

  • The wp-config.php file, for instance, may need occasional tweaks to adjust individual configuration settings, like setting up your database connection, debugging, or security keys. 
  • Another file where you might need to make security changes is .htaccess (more on that later). However, this file, like the index.php, is located in the root directory, so you should be very careful.

Ways to protect your site using WordPress files

Understanding your WordPress site’s file directory can empower you to protect your site effectively. The following are some ways you can leverage this knowledge to enhance your site’s security:

  • Assigning the correct file permissions as they control who can read, write, or execute certain files on your website. Setting permissions too loosely might yield access to unauthorised individuals, jeopardising your site’s security.
  • Restoring your website using the “forceoff” file: If you lose access to your side by mistake using Shield Security PRO, you can turn the plugin’s firewall off by adding a “forceoff” file to …/wp-content/plugins/wp-simple-firewall/
  • Keeping core files updated, as these updates often carry patches for known security vulnerabilities. For instance, the WordPress 4.7.2 release addressed a content injection vulnerability, an update that kept millions of sites secure.
  • Securing vulnerable files, such as wp-config.php, as they contain key configuration details for your site. Hackers often aim to exploit these files to gain unauthorised access. 
  • Using wp-config.php security functions, including blocking certain external HTTP requests, enabling debug mode, modifying password salts, and disabling automatic updates.  
  • Using .htaccess security functions like hiding your login page, initiating IP address whitelisting, password-protecting directories, and controlling 301 redirects. 

For more sophisticated and safe security measures, use a dedicated security plugin like Shield Security Pro. With this plugin, you can rely on real-time file monitoring, automatic backups, and malware scanning features to sniff out any threats invading your site. 

However, it’s important to note that certain security measures can lock you out of your site. 

  • For instance, if you modify the login URL for enhanced security and later forget this new URL, you could find yourself unable to access your own site. 
  • Another common scenario is overly restrictive IP whitelisting in the .htaccess file, which might block your access if your IP address changes. 
  • Updating password salts or other critical security configurations in wp-config.php without proper caution can also result in access issues.

In such cases, you need a plan to regain access to your site’s backend. One effective solution is to familiarise yourself with the file structure and learn how to revert changes that may have caused the lockout. This might involve accessing your site’s files directly through an FTP client or your hosting control panel to undo the recent changes.

To learn more, check out our step-by-step guide on regaining access to your WordPress site

Rules for editing your WordPress site’s files

While manipulating your WordPress site’s files gives you increased control, it introduces a certain level of risk, so here are some universal tips to help avoid issues:  

  • Seek professional assistance: If you’re unsure about your technical know-how, particularly for advanced edits like altering PHP code or setting up redirects, get in touch with experts or use a dedicated plugin. This could range from simple duties like changing your site’s logo to coding a new feature from scratch. 
  • Generate a backup of your files: Whether you prefer using a backup plugin or your hosting provider’s tools, ensure you have a fallback plan in place. This ensures you can promptly restore your site in case of any anomalies.
  • Don’t touch core WordPress files: When it comes to files like wp-admin and wp-includes, editing can bring about severe complications like accidental site downtime, unforeseen security breaches, and detrimental clashes during WordPress updates. 
  • Take advantage of tools like Shield Security PRO: Automating tasks that would otherwise require intricate file edits, such as hiding the login page or enabling two-factor authentication; this plugin optimises your WordPress site’s security.

Securing your WordPress files from threats with security plugins

If you’re running a WordPress site, you can’t leave security to chance, which is why we recommend using a trusted security plugin like Shield Security Pro

There are three main types of threats: bot activities, hacks, and malware attacks, and they can all directly affect every type of WordPress file, such as Core, Plugin, Theme, and Upload files. 

  • Bot activities: Automated scripts or programs that perform tasks on websites, often for malicious purposes like spamming or data theft.
  • Hacks: Unauthorized access to a computer system or network, often to steal, alter, or destroy data.
  • Malware attacks: The injection of harmful software into a system to damage, disrupt, or gain unauthorised access to it.

To protect your site against such threats, set basic defensive measures, such as restricting file access to approved admins. Another simple measure you can take is changing the default database table name prefix, “wp_”, which is a well-worn path for hackers. Substituting it creates an instant maze for hackers and keeps your site secure. 

The best strategy, however, is to use security plugins. Different plugins may adopt varied approaches towards cybersecurity, but most would employ a mash-up of certain standard techniques:

  • Scanning for malware: Implementing regular site sweeps for any lurking malicious content or potential threats.
  • Monitoring activity: Overseeing changes made to site files can help catch abnormalities early on. For instance, Shield Security PRO actively registers file changes and alerts you promptly.
  • Enforcing strong passwords and updating policies: Mandating uncrackable passwords and routine updates can form a formidable fortress against infiltrations.
  • Reinforcing against brute force attacks and unauthorised access: Measures like limited login attempts or IP blocking can safeguard against repetitive login attempts or unwanted intrusions.

Enhancing site security with Shield Security PRO

Shield Security PRO Call-To-Action: Purchase

As a WordPress website owner, it’s essential that you at least understand the file structure, but what’s even more important is taking the right measures to secure your site against potential threats. 

And there’s no one better for this job than Shield Security PRO

Here is what you can expect regarding security features

  • A sophisticated AntiBot Detection Engine that distinguishes between harmless and harmful bots, blocking those that pose threats and allowing benign ones to perform their functions.
Shield Security PRO AntiBot System
  • Enhanced login protection such as two-factor authentication, one-time passwords, and hiding the login page. 
Shield Security PRO 2FA settings
  • The White Label feature which allows you to rename the plugin to align with your brand, which is very useful for agencies with multiple client websites. 
Shield Security PRO White Label feature
  • A user-friendly interface that empowers even non-technical users to confidently establish and monitor their site’s security.
Shield Security PRO dashboard
  • A proactive threat prevention approach, such as the automatic IP blocking feature, deters repeated failed login attempts, preventing common brute force attacks even before they happen.
Shield Security PRO Auto Blocking Rules

Create a more secure site today with Shield Security PRO

The WordPress file directory can be hard to grasp at first, but it’s essential for users who want more control over their website, especially when it comes to security. Specific changes like rotating password salts, hiding the login page, or restricting overall file access all serve to strengthen the security of your platform.

However, there is a much simpler way to access these security features without having to go deep into your WordPress file directory and risk breaking something.

With Shield Security PRO, you can implement key security changes easily and with peace of mind. This advanced security plugin simplifies the process of protecting your site, eliminating the need for direct code alterations.

Whether you’re looking to hide your login page or enforce stronger password policies, Shield Security PRO offers everything you need. Plus, its user-friendly interface and extensive toolset provide you with a seamless and reassuring security management experience.So why wait? Try Shield Security PRO today for comprehensive, user-friendly security solutions!