Skip to main content

WordPress Files & Folders

Once we are confident that the web server is up to date and well maintained, we take a hard look at the folders and files that make up your WordPress website. We ensure that proper permissions have been applied to every single file and folder on your server. This limits who has the ability to read, modify and delete the assets that make up your website. This is basic security. But we’re always surprised by how many WordPress websites have neglected to configure these permissions properly.

XML Remote Procedure Call is a feature that allows you to interact remotely with your site. It is rarely used except by heavy bloggers and publishers. So, we recommend disabling this unless it is absolutely necessary for the day-to-day operations of your WordPress website.

Every WordPress website has some folders that it installs as part of the core software. Some simple changes to folders like /wp-admin and /wp-includes can help block scripts, bots and 3rd parties from exploiting those core folders. The htaccess file can be used to prevent directories from being browsed and can prevent the config.php file from being accessed. We also work with our clients to restrict the permissions as much as possible to the /uploads folder and any other folders that need to be writable by the server in order for WordPress to function.

We use a service that monitors all the files on a WordPress website. We get notified immediately if a file on a website is changed by someone other than an authorized admin of the website. This helps us react instantly to any potential threats that are attempting to plant malicious code into a website. We also work with our clients to ensure they are not directly editing or modifying WordPress’ core files and help them come up with ways to fulfill website requirements that don’t require modifications to the core WordPress files.

Many business websites need to host files for their users to download such as PDF, DOC, DOCX, PPT, PPTX and so on. Unfortunately, excessive downloading of these files by multiple users can put a strain on server resources which can slow down or even crash a WordPress website. We work with our top-tier clients to find solutions that allow files to still be posted and managed to websites but hosted using 3rd party file sharing services.


Let’s Get Started

Book a Security and Performance Audit and learn how well your WordPress website complies with industry standards.

preprovoked