Skip to main content

WordPress Files & Folders: What You Need to Know

Jan 23, 2021

Every website can be broken down into three basic components — the server, the database, and the code. The server is the computer that stores the website information and communicates with browsers to display the website on a user’s device. The database is the repository of all the information that is stored and used by the website. The code is the information that defines the website’s function and appearance for the end user.

Each WordPress website is built on 3 core files:

  • wp-admin
  • wp-content
  • wp-includes

The wp-content file contains all your website’s themes, plugins, and uploads. The wp-admin and wp-includes files should never change.

In this way, every WordPress website is basically just a collection of files and folders. A folder tree lends structure and hierarchy to the numerous lines of raw data and code, allowing both devices and web developers to make sense of it.

Why Is File and Folder Security Important?

In a nutshell, file and folder security prevents unauthorized access to the data stored in the aforementioned files. It goes without saying that unsecured files and folders can pose a security risk for your website. Besides allowing strangers access to potentially sensitive website data, a lack of file and folder security can be exploited by malicious hackers and softwares to gain access to more sensitive data, or weak points in your website’s infrastructure.

Files and folders are not difficult to secure, but it’s important not to overlook this critical component of web security.

How Do Web Experts Secure Files and Folders?

WordZite’s approach to file and folder security works on two basic principles. First, ensuring your WordPress site files have the right permissions settings, and second, through regular file monitoring.

When we take control of a WordPress website, one of the first things we do is to perform a file and folder scan to ensure that the core files (the aforementioned wp-admin, wp-content, and wp-includes) align precisely with the core files in the latest version of the WordPress site builder. No matter what changes or additions you make to your website over its lifetime, these core files should never deviate from their official WordPress versions.

Setting File and Folder Permissions

Setting file and folder permissions is a simple process that a web security expert can perform with the addition of a few small lines of code. These aren’t settings that are visible from your WordPress dashboard, though, so it will take someone with the know-how and experience.

By default, WordPress sometimes allows public access to things like the wp-content file. A simple change to these default settings ensures that only authorized users have the ability to read or alter these files, protecting your data from prying eyes.

File and folder permissions can also be used by web developers to ensure that a website’s function isn’t compromised by inexperienced site owners or back-end users making additions and changes. A web expert can edit the settings to set limits on the size of files that are uploaded, or to automatically resize or compress uploaded image files. Settings like these help stop business employees from inadvertently slowing down a website with overly large uploads.

File Change Monitoring

It’s not unheard of for developers to make small changes to WordPress core files, but we strongly recommend against it. A change to a core WordPress file means you won’t be able to update the files — automatic updates from WordPress will break the site, since the updated versions of the core files will be different from those on your server. Outdated core files can cause a security issue.

We also monitor to check that new files such as child themes or plugin overrides are set up and added properly.

To help keep files and folders secure, WordZite uses change monitoring, applying a service that notifies us immediately if an unauthorized user has gotten in and made changes.


Files and folders are the backbone of every website, but the majority of website owners don’t really interact much with these website building blocks. You don’t have to understand the ins and outs of how these files function, but you should be able to trust that your web security expert does — and has taken the necessary steps to secure your website, and protect your information.