WordPress files form the foundation of your WordPress website. The directory of files resides on a server – whether that server is owned and stored in your own office or managed by a hosting company. Inside those directories are various folders and files, each of which serves a purpose for delivering commands and serving up content to the end-user. The good news is that the WordPress file structure remains the same for all new WordPress websites, making it easy to understand how everything is configured. However, the files themselves, and the code attributed to each one, may seem confusing at first.

That’s why we’ll take an in-depth look at WordPress files and their purposes. From WordPress configuration files to the wp-content folder that stores and delivers all of your images. themes, and plugins, it’s important to understand the inner workings of the WordPress files for future management and website modification.

The Importance of Learning About WordPress Files

You may be wondering, what’s the point in learning about WordPress files and directory structures?

That’s a great question; in some instances, there’s no reason to learn about them at all. If you’re a non-technical website owner who would rather pass along that responsibility to your hosting company or a developer, you probably don’t need to know anything about the wp-includes folder or what .htaccess means.

If you’re comfortable leaving that type of management to other experts, like if you were to opt for a managed hosting plan, that leaves you more time and energy to focus on your day-to-day business tasks.

However, aspiring and advanced developers and designers, and really anyone who works with a website, need to understand the intricate workings of the WordPress file structure. In addition, even less technical website owners could learn a thing or two to help them with things like file uploads or protecting their databases in the future.

Here are some of the main reasons to learn about WordPress files:

  • Knowing about the WordPress file structure helps regular WordPress users solve problems on their own instead of reaching out to the hosting company or a developer, in turn, saving money and time.
  • You get a feel for the core files that help WordPress work its magic.
  • There’s a better understanding of how images and media uploads are stored, allowing you to opt for alternative upload methods like SFTP and figure out how to share them and protect them when needed.
  • You see where and how themes and plugins are stored, opening up options for other uploading methods and possibilities for figuring out problems that occur from plugins or themes.
  • It’s possible to moderate language files for reaching out to new customers around the world.
  • You can make simple modifications to your site without causing damage, seeing as how code edits in the dashboard aren’t recommended and it’s much easier to make the proper edits when you’re at least somewhat comfortable sifting through files.
  • There are options to set file permissions and restrict content from certain users, improving your security overall.
  • You’re able to use one of the many methods for uploading and downloading WordPress files. It’s possible you end up stumbling upon an easier or more practical solution.
  • You can generate backups of your website and protect your site files, removing questions as to how secure your website really is.
  • Developers with strong WordPress file knowledge are able to successfully transfer over file access to the site owners and resolve any problems that come along with the site.
  • It’s often required to tap into the WordPress files if a site is hacked or a conflict occurs that crashes the site. For instance, sometimes you need to remove or replace a damaged.
  • Troubleshooting WordPress errors is much easier when you’re comfortable navigating the WordPress files.

Where Are WordPress Files Stored?

Just as your computer software and media files are stored on internal hard drives, WordPress website files are placed on servers to ensure they’re able to deliver the wide variety of content, design calls, and actions that come together to present a full website experience to the user.

That server, sometimes called a machine or computer, is situated in some physical location. And that’s primarily what a hosting server is, a machine that looks and functions similar to your computer.

The physical location depends on how you plan on hosting your website. It’s possible to run a server from your own home or office. Many companies run their own server systems to maintain full control over their data. On the other hand, many websites are stored on remote servers, usually managed by hosting companies, like Kinsta.

Your WordPress site files are uploaded to an internet-connected server that’s able to protect and serve up the right files at the right times. In addition, the host server enables you to gain access to the files via a digital interface, even though the files themselves are elsewhere on a server in a data center.

There are many types of servers and hosting options, but some of them include the following:

The hosting you decide on ultimately depends on how much access and control you want over your site files.

Local Storage

It’s also possible to store WordPress files on a local machine. For instance, you can go to the WordPress.org website and download a zip file with the most recent version of WordPress and its files.

Many developers store their site files on a local computer for different reasons. First of all, you may want to develop and design a website in a less public setting prior to launching a website for the public to see. Going down this route means you’ll add to the original files and use a development sandbox and a desktop server like XAMPP or WAMP.

Click here to learn how to install a local version of WordPress.

The goal behind a local installation is to mimic the configuration provided by a hosting company. You get a similar hosting stack to serve up your files and generate the site functionality from your local files. It’s possible to render your in-progress website in the browser to test how progress is coming along. It’s also common to take advantage of a staging environment or a sandbox tool, which helps with development and testing, providing previews of your changes and a more user-friendly experience than you would see in your file directory.

How to Access WordPress Files?

Now we know the WordPress files are located on a server or a local environment. That’s great, but how do you access the files to add more to your website design, upload new themes, and organize items like your core files or media items?

Here are the several options to choose from for accessing and viewing and moderating your WordPress files:

Each of these methods is possible for finding and managing your WordPress files. However, some are better than others, and a few are not usually recommended.

Keep reading below to learn more about how to access files through the various methods mentioned.

Access WordPress Files Locally

It’s fairly simple to locate WordPress files stored on a local machine.

The first option is to download a blank copy of WordPress and use those files to learn about them and potentially manage your website prior to uploading them to a server.

In that case, the only requirement is that initial WordPress file directory download. After that, accessing the files is no different from clicking through your other files on a computer.

To begin, download the most recent copy of WordPress to your computer.

Click the Get WordPress button.

WordPress Core can be downloaded from the WordPress.org website.
WordPress Core can be downloaded from the WordPress.org website.

Then, click the most recent Download button. WordPress already has the current version displayed, so that’s normally the best bet.

Download WordPress Core.
Download WordPress Core.

Place the file on a local drive you’ll remember. Unzip that file to reveal the WordPress files. It should be named something like “wordpress-[version]”.

Click on that file and keep the zipped version in the same location.

Unzip the WordPress package after downloading.
Unzip the WordPress package after downloading.

All WordPress files are stored in a file named “WordPress.” Select that.

The "wordpress" directory containing core files.
The “wordpress” directory containing core files.

Now you should see a collection of folders and files like wp-content, wp-admin, and the wp-login.php file.

This is what the directory of files and folders looks like from WordPress. It rarely changes, except for when there are updates to the entire content management system.

You can open each folder to view the contents, while also opening and editing (if needed) the WordPress files below the primary folders.

WordPress core files.
WordPress core files.

In this scenario, the local WordPress files have no link to the internet or a server. Therefore, you’re open to make changes without any public repercussions. However, at some point, you’ll want to add the files to a development environment, and eventually transfer them to a live hosting server.

Access WordPress Files With an FTP Client

Another way to view and reorganize your WordPress files is with the help of an FTP (file transfer protocol) client. File transfer protocol links your local file environment to that of your live website on a hosted server. This way., you can instantly drag a file from your computer into your website files, without many limitations or the need to tap into your hosting dashboard.

Several FTP clients are available for you to use. Our guide for uploading HTML files to WordPress has steps on how to connect an FTP client and upload a file into your site files.

Below is a shortened version of that process using FileZilla as the FTP client:

To start, go to the Sites tab in your Kinsta dashboard.

Go to the "Sites" tab in MyKinsta.
Go to the “Sites” tab in MyKinsta.

Find the site you’d like to access the files for and click on it in your list.

Click on your site in MyKinsta.
Click on your site in MyKinsta.

Under the Info tab, locate the “SFTP/SSH” section. These are the credentials you’ll need to paste into the FTP Client in order to connect to the server. They include the “Host”, “Username”, “Password”, and “Port”.

SFTP/SSH credentials are available in MyKinsta.
SFTP/SSH credentials are available in MyKinsta.

Each FTP Client is a little different, but you can generally find the corresponding fields for connecting to the site server via the FTP.

For example, in FileZilla, the Quickconnect fields are at the top of the window, and they’re all named exactly like what you see in the Kinsta dashboard.

Paste those SFTP credentials into the Host, Username, Password, and Port fields. Click the Quickconnect button to proceed.

Connect to your Kinsta site with FileZilla.
Connect to your Kinsta site with FileZilla.

If you encounter an error it’s most likely due to the fact that FileZilla defaults to an FTP connection, whereas Kinsta requires an SFTP connection.

To resolve this issue in FileZilla, go to “File > Site Manager”, and change the “Protocol” field from FTP to SFTP.

Click the “Connect” button and everything should work fine.

Configure an SFTP connection in FileZilla.
Configure an SFTP connection in FileZilla.

The FTP client often takes just a moment to process the credentials and sync to your local files and ones on your server.

After you see the files on the server, locate the root file; click on the “public” folder to reveal all WordPress files currently installed on your website.

As usual, we see folders like wp-admin and wp-content, making it easy to identify when you’re in the right place.

WordPress Core files on a server.
WordPress Core files on a server.

Accessing WordPress files through an FTP client is only the beginning. You now have the opportunity to upload files, duplicate folders, and drag in items like themes and plugins. It’s also a great place to add your own custom coding, as long as you’re not editing core files that should never be touched.

Out of all the methods to access WordPress files, Kinsta recommends the FTP client process as the top solution. The only other alternative that makes sense in some situations is when utilizing a local environment for staging or testing purposes.

Access WordPress Files in cPanel

Finding and modifying WordPress files through cPanel is outlined in our guide for uploading HTML files to WordPress.

Overall, cPanel is a control panel provided by some hosting companies to access what’s called the File Manager in your hosting account.

Kinsta doesn’t use the cPanel dashboard. Instead, we use our custom-built MyKinsta dashboard which provides full SFTP access details for managing your site files.

If, however, you utilize a host that uses cPanel, follow these step to get to the WordPress files:

  1. Log into your hosting cPanel.
  2. Locate the File Manager button. Click on that.
  3. Use the various buttons like “Upload”, “Move File”, and “New Folder” to manage and modify what’s already sitting in your WordPress files.

You also often have the option to connect to via FTP through cPanel. This cPanel feature is usually called FTP Accounts or FTP Session control, typically located near the File Manager.

Access WordPress Files in the WordPress Dashboard

Technically, WordPress provides access to some files in the dashboard, most notably the theme files.

The reason for this is because the theme settings are presented in the dashboard and these files are required inside your dashboard to ensure proper functionality.

However, it’s highly recommended you skip the process of editing those files in the dashboard.

Here’s why you should avoid editing theme files by using the WordPress dashboard:

  • Changes may get overwritten when future WordPress or theme updates come along.
  • There’s no backup of your website theme files to ensure that changes aren’t causing any damage.
  • A direct edit to your theme could break your website, so it’s best to edit through the theme settings or by using a copy that’s edited in a development environment then transferred over via an FTP client.

Having said that, we understand that some people will go ahead and edit the theme files within the dashboard anyway. In addition, it’s not a bad thing to do if you’re simply messing with a template or testing out a website. However, we encourage you to avoid this altogether if working with an important website.

If you plan on moving forward with direct edits to the theme files, consider using a file manager that generates a copy of your files with a new name. Keep the original and only edit the duplicate version. These backup theme files ensure that you’re able to re-enable what you had before if you have problems.

To access the theme files in the dashboard. Go to “Appearance > Theme Editor”.

Access the WordPress theme editor.
Access the WordPress theme editor.

You’ll receive a warning about the dangers of modifying these files directly through the dashboard, so that serves as a nice reminder to not mess with this area!

Overall, this dashboard section has the following files and their contents:

  • style.css
  • functions.php
  • footer.php
  • header.php
  • index.php
  • sidebar.php
Edit the style.css file in the WordPress theme editor.
Edit the style.css file in the WordPress theme editor.

All of these files are stored in your website’s theme folder (which is located in the wp-content directory,) so you have the option to manage the files through a safer route. In addition, they’re all design files, making it easy to stick to the alternative editing solutions through the WordPress visual customizer tool.

Although this doesn’t give you direct access to your files, the customizer provides a safe environment for tweaking the look of your WordPress site. In addition, you can opt to add your own CSS code which then gets written into the site files after saving.

To follow this route, go to “Appearance > Customize” in the dashboard.

Customize the look of your WordPress site.
Customize the look of your WordPress site.

Now you have a full visual view of your theme, with real-time updates to the preview as you modify the settings. The advantage is that the preview doesn’t make an instant change to your live website. Instead, you get to check on the new designs then press the “Publish” button when it’s ready.

As you can see, various modules are available for indirectly editing your style files with settings for your site identity, colors, menus, widgets, and homepage settings.

Customize site identify, colors, menus, and more in WordPress.
Customize site identify, colors, menus, and more in WordPress.

As mentioned, the “Additional CSS” tab is the ideal section for adding styles to your site files without messing anything up with a direct file edit. In addition, you receive the benefit of being able to preview your modifications prior to saving. Simply paste or type in the desired code to the CSS module.

Add additional CSS to your WordPress site.
Add additional CSS to your WordPress site.

WordPress File and Directory Structure

Looking at the WordPress file and directory structure for the first time can make some users feel overwhelmed. However, it doesn’t take long to recognize these folders and files and familiar tools that work on your side to quickly modify website elements and incorporate unique code changes for advanced improvements to your websites.

Now that you have full access to the files, what’s next?

We recommend going through the following list of default WordPress files so as to get a full understanding of what each one does for your website and where they’re located within the WordPress folder directory.

What’s more, is that the structure of the file directory is nicely organized into categories so that you only need to work in one area to adjust things like design elements or view core files.

Although it may seem intimidating at first, keep reading to get a clearer picture of each file and how they can be used as valuable tools in your development process.


WordPress Core Files

If you’ve made it this far in the article, you’ve already had a glance at the WordPress core files.

Often referred to as a clean or blank WordPress installation, the group of files you initially download to install WordPress for the first time make up what’s known as “WordPress Core”.

These core files eventually end up forming the admin interface of your website and work together to deliver the right content to the frontend.

Quite a few core files exist, but some primary ones include:

  • wp-admin
  • wp-includes
  • index.php
  • license.txt
  • readme.html
  • wp-activate.php
  • wp-blog-header.php
  • wp-comments-post.php
  • wp-config-sample.php
  • wp-cron.php
  • wp-links-opml.php
  • wp-load.php
  • wp-login.php
  • wp-mail.php
  • wp-settings.php
  • wp-signup.php
  • wp-trackback.php
  • xmlrpc.php

Below is an example to give you an idea of what some of the core files look like. This is the wp-config.php file (which is provided from WordPress as wp-config-sample.php and either changed manually or automatically converted to a wp-config.php file depending on the installation process).

The WordPress wp-config.php file.
The WordPress wp-config.php file.

Most WordPress core files are annotated with comments that tell you what each function does, or sometimes straight out explains what the entire file does for your website.

Understanding the core files is imperative if you plan on troubleshooting common WordPress errors and moving around the backend of your website with knowledgeable insight. Not to mention, the core files truly show you how WordPress works as one unified ecosystem.

Get To Know the WordPress Core Files

The list of core files listed before is what you’ll get with every new WordPress download. They’re found by unzipping a WordPress installation file or accessing your current files site files through an FTP client or your host’s dashboard.

WordPress Core files.
WordPress Core files.

Each file has its purpose. Some are more important than others, while you shouldn’t have to think about some of the files too much. In the following sections, we’ll go into detail about the essential core files, outlining what each one does for your website and whether or not there’s any reason for you to edit those files. Not every WordPress file will be covered, only the notable ones.

The .htaccess File

The .htaccess file is part of WordPress’s top directory, serving as a basic configuration file on the Apache web server. If you’re hosting on Kinsta, you may notice that you can’t find the .htaccess file. That’s because Kinsta uses the Nginx web server, which provides better performance than Apache.

Overall, both Apache and Nginx offer similar options for adding special rules and configuring redirects.

We have a complete guide about the .htaccess file if you have sites on some other hosts. The Apache web server is most common for budget shared hosts, and it offers configuration settings to tell your web server how to work. In WordPress, the .htaccess file is particularly important for controlling your website’s permalinks and making them look clean and standardized throughout your website.

As mentioned, a Kinsta-hosted site owner won’t be able to locate an .htaccess file by going through an FTP connection.

Kinsta-hosted sites do not have a .htaccess file.
Kinsta-hosted sites do not have a .htaccess file.

However, for other hosts, the .htaccess file is listed in the top directory, near essentials like index.php and below the wp-admin, wp-content, and wp-includes folders.

A .htaccess file on an Apache server.
A .htaccess file on an Apache server.
When to Use the .htaccess file

Most of the time, the .htaccess file should be left untouched. However, there are several actions and redirects you can activate by adding to or changing the file.

In Kinsta, these actions are done in the MyKinsta dashboard. For instance, you can set up redirect rules, block IP addresses, and place a password on your site in the dashboard, all things you could typically complete with a standard .htaccess file.

Overall, the .htaccess file is best when you need to make the following rules or complete these actions:

  • Increasing the max upload size for media items and files.
  • Blocking access for specific IP addresses.
  • Setting up redirects from one URL to another.
  • Adding rules to the file so that cached content gets served up in a more efficient manner.
  • Redirecting HTTP to HTTPS.

The wp-config.php File

The wp-config.php file is both essential and highly useful for all WordPress users since it contains all basic WordPress settings. This means that the wp-config.php file lets you edit various areas of your WordPress site, from the database to making it possible to auto-update your WordPress version. Another reason wp-config.php is so important is because it offers options to activate a WordPress debugging feature, making it vital for troubleshooting in the future.

Accessible through an FTP Client, the wp-config.php file is found by going to the public (sometimes called public_html or www) file under your root directory.

You can locate the wp-config.php file near some of the primary WordPress folders, in the list of files like wp-cron.php and wp-comments.php.

The wp-config.php file contains global settings for WordPress.
The wp-config.php file contains global settings for WordPress.

Here are the default contents of the wp-config.php file:

* The base configuration for WordPress
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
* This file contains the following configurations:
* * MySQL settings
* * Secret keys
* * Database table prefix
* @link https://wordpress.org/support/article/editing-wp-config-php/
* @package WordPress

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );

/** MySQL database username */
define( 'DB_USER', 'username_here' );

/** MySQL database password */
define( 'DB_PASSWORD', 'password_here' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );


* WordPress Database Table prefix.
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
$table_prefix = 'wp_';

* For developers: WordPress debugging mode.
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
* For information on other constants that can be used for debugging,
* visit the documentation.
* @link https://wordpress.org/support/article/debugging-in-wordpress/
define( 'WP_DEBUG', false );

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
When to Use the wp-config.php File

If you’re curious about the intricate details of this essential file, you can learn more about the wp-config file here. In general, it’s one of the most important files you have in the WordPress directory. That’s because much of the system infrastructure is configured using the wp-config.php file and it has definitions and PHP instructions to ensure that WordPress runs smoothly.

It’s not that common for a developer to access the wp-config.php file on a regular basis, but there are some reasons to consider modifying what’s in the folder or even what things are named:

  • For editing the entire file system, or at least the structure or naming of the folder so that hackers and other intruders can’t easily locate some of the more important parts of your file directory.
  • To put WordPress into debug mode or save queries that may be helpful when troubleshooting your system in the future.
  • When you need to modify content related settings. Many content settings are stored in the wp-config.php file. For example, you can change settings for WordPress revisions, how often you empty the trash, and how often an automatic save is completed.
  • Set your allowed PHP memory limit so that larger websites and multisite configurations end up working on WordPress.
  • When you need to update important security settings.
  • To change the settings for automatic updates to the WordPress core. Although it’s a good idea to keep an automatic update on for security purposes, there are some instances where deactivating this could be helpful.
  • To completely lock down the wp-config.php file so that no one can access it.

The wp-admin Folder

What’s great about the naming of these folders and files is that you quickly realize that they all make quite a bit of sense.

For instance, the wp-admin folder holds a wide variety of files and folders that control the WordPress admin dashboard. By this we mean the interface you log into every time you’d like to add a page or post to your website. Without the wp-admin folder, you wouldn’t have such a beautiful user experience when managing a website.

Also inside the root site folder, wp-admin is usually the first folder listed in your WordPress file directory, mainly since it’s in alphabetical order, but also because folders are usually listed prior to files.

The wp-admin folder helps render the WordPress admin dashboard.
The wp-admin folder helps render the WordPress admin dashboard.

Some of the files that make up the wp-admin folder include:

  • /css
  • /images
  • /includes
  • /js
  • /about.php
  • /admin-header.php
  • /admin.php
The contents of the wp-admin folder.
The contents of the wp-admin folder.

Many of these are considered core WordPress files, all of them coming together to formulate a solid infrastructure for the WordPress dashboard.

However, one, in particular, is rather important to know about. That’s the admin.php file.

The admin.php file contains important WordPress administration functionality.
The admin.php file contains important WordPress administration functionality.

The admin.php file serves as the primary engine that drives the wp-admin folder and brings together many of the other files to make them work. For example, the admin.php file checks admin permissions, blocking out users who shouldn’t have access to valuable parts of the dashboard. The admin.php file also links to the WordPress database and loads much of the admin dashboard.

Some other core files in the wp-admin folder include:

  • network.php – Controls the functionality of your WordPress multisite infrastructure.
  • users.php – The file that manages the user admin module, taking into account which users have admin access and which ones don’t.
  • update.php – Handles new updates to the WordPress system, like when WordPress comes out with a new version or you add or update a new theme or plugin.
When to Use the wp-admin Folder

Seeing as how the wp-admin folder should usually be left alone for the lifespan of your website, there’s not much to say about when to edit or use the wp-admin folder.

However, there are some instances where locating and replacing, or even renaming, the wp-admin folder can serve you well.

First, it’s not a bad idea to consider changing the location and permissions to your wp-admin folder. Anyone with some WordPress experience knows the location of these important files; it’s easy for them to find and tamper with them. That’s why strong permissions will block anyone from using them in the first place. Another option is to change the location and ensure that your wp-admin login URL is renamed so that it’s not easy to try a brute force login attempt. Even so, this is generally done with a plugin and not tapping into the file itself.

The other reason you may consider modifying the wp-admin folder is if it’s corrupted or hacked in some way. In this situation, you’re simply replacing the file with a clean one. So, you’re still not really editing any of the contents of the wp-admin folder, but rather swapping it out for an older backup of the folder or downloading and installing a new version.

The wp-includes Folder

Almost all of WordPress is reliant on the wp-includes folder. This core folder contains a myriad of packages waiting to get delivered for many of the frontend and backend elements of WordPress to perform.

One way of explaining wp-includes is that the folder provides the common functionality needed for the WordPress REST API. In simpler terms, that means the files in other folders utilize what’s inside the wp-includes folder, using those files as resources to complete their own tasks.

Think of the wp-includes folder as a toolbox. Other core folders and files like wp-content and wp-admin are the workers and leaders that reach into the wp-includes toolbox whenever something needs to get done.

For instance, if the wp-content folder wants to generate elements of a theme or plugin it first needs to consult with the wp-includes folder to ensure the elements are compiled the right way for WordPress. The same can be said about the wp-admin folder, except that wp-admin consults with the wp-includes folder for backend purposes.

Therefore, wp-includes is one of the most critical folders in WordPress, and it actually holds much of the major WordPress source code. This involves both the front and backend of WordPress, making it an all-encompassing folder.

Another way to think about the wp-includes folder is like a library, where the rest of the core files are researchers compiling information to complete a study or write a paper. All that powerful data is stored inside the wp-includes folder, so the researchers (other core files) always have to reach into the library to find exactly what they need.

Like some of the other core files already discussed, wp-includes is under the core public folder, in the list of folders with wp-content and wp-admin.

The wp-includes folder contains WordPress dependencies.
The wp-includes folder contains WordPress dependencies.

Seeing as how the wp-includes folder completes so many tasks when called upon and contains so much code, it makes sense that hundreds of files are packed into the folder.

The default wp-includes folder currently has 196 files and 22 directories.

Some of the directories include:

  • assets
  • blocks
  • certificates
  • css
  • fonts
  • images
  • requests
  • widgets

Some files include:

  • admin-bar.php
  • author-template.php
  • blocks.php
  • feed-rss.php
  • functions.php
  • http.php
  • plugin.php
  • post-formats.php
  • query.php
  • shortcodes.php
  • template.php
  • theme.php

Even just looking at those files shows the power of this directory. Those are all PHP files filled with code to allow those elements to function. You can see that wp-includes houses much of the activity coding for themes, queries, shortcodes, and widgets, only to name a few.

One crucial file from this directory is called functions.php .

The functions.php file contains additional website functionality.
The functions.php file contains additional website functionality.

It’s essential to know about the functions.php file because developers and site owners often use it to change or add features to websites. The functions.php file acts like a plugin, calling upon functions already implemented in your files to produce something new.

Unlike many files inside the core, it’s not considered a bad thing to edit the functions.php file, as long as you have the knowledge to do so.

Furthermore, this core functions.php file isn’t the only functions.php file available inside WordPress. Each theme you install on WordPress also has its own functions.php file, allowing you to incorporate theme-dependant features that only work if the theme is installed and activated on your website.

Therefore, the core functions.php WordPress file remains inside your file directory forever. Any changes you make to the file are reflected on your website until you remove that code. The functions.php functionality created from theme files gets removed when the theme is deactivated from your website.

When to Use the wp-includes Folder

The wp-includes folder contains an incredible amount of code to be used on the frontend and backend of your website. The core WordPress API is held in this folder, so it’s a good idea to leave it alone. In most situations, you could make it a read-only folder. The primary reason you may want to edit something in wp-includes is when messing around with the functions.php file.

Again, you’re better off skipping wp-includes when thinking about making edits, but here’s a list of the instances you may consider opening and using the wp-includes folder:

  • To hide or protect the wp-includes folder from the public. This can be done with the help of permissions or by hiding the file altogether. This is often completed with the help of a plugin.
  • To make edits to the functions.php file.

The wp-content Folder

The last core directory to keep your eye on is called wp-content. It’s arguably the most important folder from a user’s standpoint, considering it collects and stores all items that the user uploads to WordPress. Hence why it’s called wp-content, because the vast majority of user-generated content goes into the folder for delivery to the right places on your website.

Where is wp-content located? The same place as the other core directories, under the public directory and next to the likes of wp-admin and wp-includes.


The wp-content folder contains media files.
The wp-content folder contains media files.

Opening the wp-content folder reveals the folders that contain everything from themes to plugins and uploads.

Plugins, themes, and media are stored in the wp-content folder.
Plugins, themes, and media are stored in the wp-content folder.

Opening the “plugins” folder shows whatever plugins you currently have installed on your WordPress site. You have the option to add a plugin file into this folder via FTP, instead of uploading from the WordPress dashboard. The same can be said for the themes directory if you’d like to upload theme files directly.

The plugins folder contains all the code for your WordPress plugins.
The plugins folder contains all the code for your WordPress plugins.

Speaking of themes, the themes directory holds every theme folder you have installed on your site, not just the one that’s currently active.

WordPress theme assets are stored in the themes directory.
WordPress theme assets are stored in the themes directory.

Finally, a deeper dig into the uploads directory brings you to a collection of images and other media types stored in the WordPress Media Library. In short, anything uploaded to WordPress goes here. You can drag in a JPG or PNG file from your computer (if working through an FTP client) or even remove one of the uploads if you’re having trouble getting rid of it through the dashboard.

The uploads folder contain your media library's images, videos, and more.
The uploads folder contain your media library’s images, videos, and more.
When to Use the wp-content Directory

When working with WordPress, there are several situations where you may want to interact with the wp-content directory. It’s not as off-limits as some of the other core files, seeing as how this is where your uploads, theme files, and plugin files end up. In addition, the non-technical WordPress user can understand that a PNG file is an image, making it more akin to an interface that the average user is comfortable with.

Here are some cases where you may tap into the wp-content directory:

  • If you’d like to rename the directory – The wp-content name isn’t required. Some people change the name so as to hide it from potential attackers. The WordPress directory structure is common knowledge, so someone who gains access to your files would have a harder time finding your wp-content directory.
  • When fixing errors – When an error occurs on your website it’s possible that a theme or plugin caused the crash or error. If you can’t access WordPress admin or the dashboard, going to the wp-content folder is a way to modify or remove elements that cause the error in the first place.
  • To upload content through an FTP – Sometimes it’s easier to add or remove an image or theme file through an FTP connection rather than doing so in the WordPress dashboard.

A Recap of the Core Files and Folder

The WordPress core files go much deeper than this, yet the ones covered so far come together to push WordPress towards full functionality. As a summary, here’s a shortlist of each WordPress file and directory we’ve discussed, with descriptions to go with them:

  • .htaccess – Takes control of all files and folders and grants access to them when needed. It’s also the file that handles the permalink structure. If working with a site on Kinsta, you won’t have an .htaccess file. Instead, the vast majority of capabilities are completed on the Kinsta dashboard.
  • wp-config – Limits its primary functionality to controlling things like automated updates and the database configuration. Basic WordPress settings are also handled in the wp-config folder.
  • admin.php – This is the file that carries the load for the backend, telling the admin dashboard how to function.
  • wp-includes – Contains most of the standard WordPress coding and serves as the library of resources whenever another file needs to complete a task, both on the frontend and backend.
  • functions.php – There’s one of these files inside the wp-includes directory as well as inside theme files. The file can be edited for adding new features to your website or to modify features already implemented by default.
  • wp-content – This file stores any items you upload or add to your website as an admin or user. Some examples of content stored here include themes, plugins, and images.

WordPress Template Files

A template file often gets confused with a theme file, but it’s actually part of a theme directory, handling elements of your theme’s display and layout.

Although not all of them have the word “template” in their file names, the majority of files inside a theme directory are in fact template files (not the functions.php file).

The template files provide just that, templates for WordPress to render components of a theme the way you want them to appear. For instance, you would have a template for the comments section in most themes.

WordPress template files.
WordPress template files.

Other template files include the following:

  • 404.php
  • archive.php
  • content.php
  • footer.php
  • header.php
  • index.php
  • sidebar.php
  • page.php

These are commonly used for editing parts of your theme, separate from any edits made directly to the core WordPress design and functionality. Therefore, any removal of the theme would also take away any changes you made inside the template files.

The structure of theme directories makes quite a bit of sense, seeing as how you can go into the files and modify something like the header.php file to make the header look or act differently. The same can be said for the sidebar.php or the footer.php files. Any change to the footer.php file only affects the footer inside the theme, nothing else.

There are even specific templates for full pages, often named after those pages, like one for a full-width page or the home page.

The Storefront theme contains full-width and home page templates.
The Storefront theme contains full-width and home page templates.

Below is an example of a homepage template:

* The template for displaying the homepage.
* This page template will display any functions hooked into the `homepage` action.
* By default this includes a variety of product displays and the page content itself. To change the order or toggle these components
* use the Homepage Control plugin.
* https://wordpress.org/plugins/homepage-control/
* Template name: Homepage
* @package storefront

get_header(); ?>

<div id="primary" class="content-area">
<main id="main" class="site-main" role="main">

* Functions hooked in to homepage action
* @hooked storefront_homepage_content - 10
* @hooked storefront_product_categories - 20
* @hooked storefront_recent_products - 30
* @hooked storefront_featured_products - 40
* @hooked storefront_popular_products - 50
* @hooked storefront_on_sale_products - 60
* @hooked storefront_best_selling_products - 70
do_action( 'homepage' );

</main><!-- #main -->
</div><!-- #primary -->

These full template files typically hook into other files to render a nicely formatted design. The homepage, for example, includes hooks for parts like product categories and galleries, seeing as how I’m using an online store theme right now.

The template files covered before, like header.php, footer.php, and sidebar.php, are considered “template partials;” they are included as a portion of another template file. Like in the template-homepage.php file you may notice that it calls to the header.php file to include it as part of the template.

When to Use WordPress Template Files

Dozens of template files exist, some of which are full-page template files while others are partial template files. Consequently, it depends on the file when deciding what you plan on using them for.

It’s safe to say that any edit of a template file dynamically changes the layout or style of your website, as long as that template is being used in the first place.

As an example, inserting the get_header() template tag in the page.php file ensures that the header template you (or the theme developer) designed gets placed in all WordPress pages with the default template. This comes in handy for dynamic design, instead of editing every page individually.

Here are some other times you may edit template files:

  • When making a duplicate index.php file to perform edits to the main template file. It’s not wise to make direct changes to the original index.php file.
  • To add your own CSS to the style.css file.
  • To dynamically modify the look of common templates like home.php, page.php, and single.php to see those changes reflected on all pages or posts.
  • To remove or add optional elements like comments, sidebars, and author pages. These, in particular, are blocked using the comments.php, sidebar.php, and author.php files, respectively.
  • To make calls to partial template files in your full template files, like hooking to the footer.php file for all pages or posts.

WordPress Theme Directories

Theme directories (also called files or folders) organize the previously discussed template files.

The theme files are the folders you download from theme developers, whether it’s a free theme from the WordPress Theme Library or from a premium developer like one you’d find on Themeforest.

The theme folders are located under wp-content themes in your core WordPress file directory.

The theme files themselves are usually named after the theme you decide to install on your WordPress site, such as /twentyseventeen for the Twenty Seventeen theme.

WordPress themes are stored in the themes folder.
WordPress themes are stored in the themes folder.

The theme files hold everything needed to incorporate the theme’s functionality and design into your site.

This includes the many template files covered above, but technically, the only required theme files are as listed below:

  • style.css
  • index.php
  • comments.php
  • screenshot.png

These are required of a theme when submitting it to the WordPress Theme Library. It’s the bare minimum, but it makes sense seeing as how the style.css file contains the theme’s main stylesheet, the index.php file is the primary template file, the comments.php file is for including comments when allowed, and the screenshot.png file shows people downloading the theme what it looks like.

Other than that, theme file structures vary based on the theme’s purpose and how the developer likes to organize the files.

Take the Twenty Nineteen WordPress theme as an example.

The folder has expected files like 404.php, functions.php , and page.php.

Yet, the developer decided to include the following folders for organization purposes:

  • /classes
  • /fonts
  • /inc
  • /js
  • /sass
  • /template-parts
WordPress themes often containing additional folders for organizational purposes.
WordPress themes often containing additional folders for organizational purposes.

If we take a look at the popular Storefront Theme for WooCommerce, you’ll notice that not only do some of the template files vary, but the developer structures the folder directories in completely different ways.

Instead of having a separate fonts folder, it’s located under the assets folder. There are also some other folders in Storefront that we don’t see in the Twenty Nineteen theme:

  • /assets
  • /docs
  • /e2e
  • /inc
  • /languages
  • /projects
The file structure of the Storefront theme.
The file structure of the Storefront theme.

Overall, those folders are named differently because the themes have their own individual style and functionality, meaning that not all of the files are going to be the same. In addition, it’s clear that developer preference comes into play as well, from the naming of the files to the organization of the directory.

When to Use WordPress Theme Files

WordPress theme files are well-known to all WordPress users since even non-technical site owners typically need to work with them.

Although WordPress theme files have many applications, here are some primary instances to consider:

  • To upload and activate a full WordPress theme through an FTP client, instead of searching for and installing a theme on the dashboard.
  • When looking to troubleshoot an error on WordPress where you need to either delete or remove a full theme file or one of the files inside the directory.
  • To incorporate new stylings or hooks in your template files.
  • When you’d like to modify your style.css file by adding your own code.
  • To remove or modify partial or full template files for styling purposes.

WordPress Language Files

Yet another area to think about in the wp-content directory involves languages.

A languages file can be stored in the wp-content directory when you’re running a non-English WordPress site.

In addition, language files are often included with plugins and themes, making it easier for you to translate the backend or frontend interfaces for those extensions.

A language file utilizes a framework set forth by WordPress so that WordPress developers can add written words to their plugin, theme, or even WordPress itself.

As mentioned, there’s a framework already in place to establish language rules, many of which are default messages or wording throughout the WordPress dashboard. However, language files are used to customize these messages or translate them into different languages entirely.

The idea behind a language file is similar to that of a child theme or duplicate index.php file. The goal is to not directly edit any program files, whether that’s inside WordPress or a plugin.

A simple example of the language framework in place can be shown when looking at the WordPress login module or the dashboard.

It’s easy to skim past all the written text in WordPress, but they’re all created using a file. For example, most of the language written on the login page is stored in WordPress’s core language file.

WordPress translation strings.
WordPress translation strings.

Even the little bits of text used all over your WordPress plugins, for things like tab labels, fields, and headings, get powered by a language file somewhere – in the case of a plugin like Yoast SEO, that plugin has its own language folder. The same can be said for themes.

Yoast has its own language folder.
Yoast has its own language folder.

Overall, a language folder doesn’t only set the geographical language but the default wording in English. So, you may find that a language file in your theme simply needs an edit to replace one English word with another. You could technically personalize the WordPress dashboard all you want, such as changing the Settings tab in the dashboard to “Design Stuff.” The Say What plugin is a decent solution for modifying those types of language strings without tampering with the core files.

Having said that, the language files are also there for translating plugins and themes and WordPress into an entirely different language altogether.

When to Use WordPress Language Files

Language files control the wording throughout your entire WordPress interface, and they empower you to modify that wording or translate it into other languages.

We’ll explain the best way to adjust language files below, but first, here are some situations in which you may need to do so:

  • When WordPress, a plugin, or theme isn’t made in your native language and you’d like to translate the interface to make it understandable for you.
  • You can translate an entire site if your core userbase utilizes a different language, or if you’re planning on expanding to a new market.
  • To modify the default wording for your dashboard, plugin, or theme interface. The files allow you to change just about any text on buttons, tabs, or forms.

Now, how do you go about finding and using those language files? Luckily, WordPress already has a method for changing the site language, all without touching your core files.

In the WordPress dashboard, go to “Settings > General”.

Scroll down to the field called Site Language. Use the dropdown menu to select a new language. Be sure to save the settings.

WordPress site languages.
WordPress site languages.

After that, much of the dashboard interface gets translated into the language you chose, in this case, German.

German translation of the WordPress dashboard.
German translation of the WordPress dashboard.

Does that also translate all the plugins you have installed? Will the frontend of your website show a new language as well?

It depends.

The caveat behind a system-wide translation is that each of those other elements also needs to have the correct language file inside the plugin files. If, for example, a German language file exists in the Yoast SEO plugin, WordPress will go ahead and use the corresponding language file to translate the plugin as well. The same goes for WordPress themes.

Language support isn’t standardized, so it’s best to check the feature lists from the plugins and themes you plan to install.

features for language support

It’s also important to mention that language files must sometimes be activated through the theme or plugin itself. Therefore, if you’re having a problem translating, seek out the plugin or theme settings that allow for the change instead of relying on the general language settings in WordPress.

As for simple language modifications (like changing a menu label in the dashboard,) we recommend the Say What plugin, Polylang, or a comparable plugin.

Finally, there are far more advanced language and translation capabilities for expanding the language reach on the frontend of your site. For instance, Polylang, TranslatePress, and Translate WordPress all provide excellent features for localization, frontend language pickers, and automated multilingual functionality. We recommend checking out our full multilingual WordPress guide to understand the benefits and methods for translation.

All About WordPress File Permissions

Checking the WordPress file and server permissions is one of the fundamental ways to improve WordPress security.

In short, WordPress file permissions restrict who can access files and what can be done with those files.

It may seem as if the strongest of file permissions is the most logical solution, but permissions that are too strict may end up causing problems with the functionality of your site. This is because your WordPress files need to be accessed by other files on a regular basis. You don’t want to lock them away so tightly that it’s impossible for them to do their jobs.

However, not having the right file permissions could open up an admin file to potential hackers or other intruders. Internal users should also be restricted from the right files to prevent any human errors that may occur.

How WordPress File Permissions are Structured

Computer file systems use permissions to indicate which users and other files can read, write, modify, and access the files.

Seeing as how WordPress files are stored on computer servers, the file permissions work in the same manner.

You can assign one of three permissions to each website file:

  • Read – Indicates that a user can read the file.
  • Write – Indicates that a user can edit or add to the file.
  • Execute – Indicates that a user can execute the file as a script or run the file.

The same permissions are applicable for website directories, or collections of files.

Changing File Permissions

In WordPress, file permissions are set automatically to ensure your website runs smoothly and it’s protected as much as possible. However, there are times where you may need to change a file permission to access a folder or to boost your security.

It’s possible to modify your file permissions through an FTP Client, your host’s cPanel, or by using a WordPress plugin.

If you plan to go the plugin route, the iThemes Security plugin is a viable solution for scanning permissions and potentially making changes.

Kinsta doesn’t utilize a cPanel, so we’ll show you how to look at and alter permissions through an FTP client.

The process varies depending on the FTP tool, but FileZilla (and many other clients) allows you to right-click on any file and locate the File Permissions tab.

WordPress file permissions.
WordPress file permissions.

A new window appears for you to change file attributes and permissions. As you can see, files generally have permissions for the owner, the group, and for the public.

The owner refers to admin access. Group permissions are for users in your organization, and the public is everyone else, like random visitors who make accounts on your website.

Each category has the three permission options of Read, Write, and Execute. It’s possible for a file to be Readable, Writable, and Executable for one category, most likely the Owner.

File permissions can be specified by providing a numeric value.
File permissions can be specified by providing a numeric value.

You may also notice that a “Numeric Value” field is listed below the permissions. The numeric value is rather important as well. It’s a three-digit number, where the first digit indicates owner permissions, the second shows group permissions, and the third explains public permissions.

So, for example, the 7 in our numeric value for the wp-content folder only dictates what’s going on with the owner permissions. Because of this, the numbers in the Numeric Value field change when you check or uncheck a box in the permissions.

Here’s what the most common values mean:

  • 755 – The owner can read, write, and execute. Everyone else can read and execute the file but not make any alterations. 755 is the standard for public files.
  • 644 – The owner has read and write privileges while others can only read the file.
  • 711 – The owner can do anything but all other users only have the execute capability.
  • 700 – The owner has full control and everyone else is blocked from doing anything, including reading the file. This is one of the highest security permissions.
  • 600 – The owner has read and write permissions. Everyone else is blocked entirely. The 600 value is even more secure than 700, making it best for private text files.

Although you typically shouldn’t have to change permissions much, below are a few suggestions for peak security and functionality within your files and directories:

  • The wp-config file should have a 440 or 400 value so that outsiders are unable to read the file. This also restricts the owners from making mistakes with the file.
  • All other WordPress files should have a 644 or 640 numeric value.
  • Directories require full owner control, so permissions of 755 or 750 are recommended.
  • Don’t ever have a permission value of 777. Groups, and the public, don’t need full access to edit your WordPress files. This goes for upload files as well, even if some of them don’t seem all that important.
  • The .htaccess file is yet another extremely important core file. Therefore, a permission of 440 or 400 is suggested. There’s no reason to provide full writing or executing access to anyone, including the owner. This prevents accidental errors.

To explore the in-depth nature of file permissions and how to change them, view the WordPress support article on Changing File Permissions.

Restrict Access to Media Files in WordPress

Media files are front-facing elements in your WordPress file directory, where all users see them and often have the ability to copy or save them from a browser.

In fact, the average user comes to your site and has the opportunity to find the direct link to that file and download it to their own computer.

Media uploads are some of the least protected elements in your file directory. Sometimes that’s not a problem. Many bloggers would rather have their photos and videos shared across the internet, even if it means those users doing the sharing are technically breaking copyright laws.

Having said that, other businesses have more private data being stored in their media files, or the media is what’s being sold in the first place; think photographers and video creators who want to prevent their images from being pulled from their websites for free.

Media file restrictions are also useful if you run a multi-author publication, since it can get cluttered and confusing for your authors to see the files from every other author in the organization.

Whether you’d like to keep media private for security or for organization, there are special ways to go about restricting access to your media files in WordPress.

The first method entails an edit to your primary functions.php file.

Open the file in your FTP client and add the following code.

// Limit media library access

add_filter( 'ajax_query_attachments_args', 'wpb_show_current_user_attachments' );

function wpb_show_current_user_attachments( $query ) {
$user_id = get_current_user_id();
if ( $user_id && !current_user_can('activate_plugins') && !current_user_can('edit_others_posts
') ) {
$query['author'] = $user_id;
return $query;

After you save the file, the new code checks what each user can do on your website. Media is displayed based on their current user types and checking if those user types allow them to complete tasks like editing posts or activating plugins. If those user type requirements aren’t met, the media files are blocked.

If you’d rather utilize a plugin for restricting access to media files, check out plugins like Prevent Direct Access (with the File Access Restriction extension) or File Manager Advanced to gain control over how your media files are shown to others. Other plugins, like Photo Gallery by 10Web, make it impossible to right-click and download media files. Although it’s not a perfect blocking solution, it adds to the security.

Managing and Moderating Your WordPress Files

Accessing your WordPress files is done through an FTP client, your host cPanel, or the WordPress dashboard.

If you have questions about tapping into your files through an FTP client, or any of the possible methods, refer back to the section titled “How Do I Access WordPress Files?” earlier on in this article. The guide on how to use SFTP to connect to your WordPress site is also a useful resource.

But what happens when you get to your files? Many of the sections in this article outline situations in which you may find yourself editing or moving WordPress files, yet it’s also essential to know about some of the simpler tasks, whether it’s done through the dashboard, an FTP client, or another means.

For instance, you may wonder how to upload or download a file to WordPress and which methods are the best for doing so. The same can be said for site backups or the organization of media files, since the usual FTP solution is not always the best route.

Keep reading for clarity on these topics.

How to Upload Files to WordPress

There are numerous file types that you can upload to WordPress. Common examples include:

  • An HTML file for verifying your website ownership or changing your website design.
  • A media file, such as a PNG, JPEG, or video.
  • A new theme or plugin file to change the functionality or look of your site.
  • A document to be displayed on a page or blog post for informational purposes.
  • Audio files to present music for a band or to sell stock clips.

WordPress has a long list of supported file types for uploading through the dashboard. These include options like JPG, PNG, PDF, MP3, WMV, and many more.

Most file types being uploaded to the dashboard are media elements, whereas design files like HTML documents usually get uploaded through an FTP client (although some situations allow for an HTML file to be uploaded through the dashboard or your cPanel).

Your file type, and the reason you’re uploading the file in the first place, generally decides your method of upload. We’ll cover the most common file upload methods for WordPress files, both for your core files and other site items like media.

Upload WordPress Files Through the Dashboard

Uploading options are plentiful in the WordPress dashboard. You have choices for importing files, uploading photos to pages, and even uploading elements through plugins you have installed.

The first, and most basic, file upload to WordPress involves media. Whether it’s a picture, video, or audio clip, they all get stored in the Media Library. For a full look into the topic, read our in-depth guide on the WordPress Media Library.

The simplest way to upload a WordPress file to the Media Library is to go to your dashboard and click on Media > Add New.

Add a new file to the WordPress media library.
Add a new file to the WordPress media library.

Click the Select Files button to open a window that reveals the files on your computer.

Upload media files to your WordPress site.
Upload media files to your WordPress site.

Locate the file you’d like to upload and click the Open button. As mentioned before, WordPress supports a wide range of files, particularly when it comes to media. However, you may encounter an error if your file type isn’t allowed.

Select a file to upload to your WordPress site.
Select a file to upload to your WordPress site.

Now the file is located in your dashboard’s Media Library along with the wp-content folder of your core site files. You can locate the new media file in the wp-content folder by using an FTP client.

As for accessing the file in the dashboard, all you have to do is click on the Edit button to see its details.

Edit uploaded media files.
Edit uploaded media files.

The Edit page shows several options for editing the photo file, adding metadata, and more. Each media file uploaded to WordPress receives a file URL, or the internet address on which that file is located. If you copy that URL into a browser the file will appear on your screen.

Uploaded media have unique file URLs.
Uploaded media have unique file URLs.

Another common way to upload a file through the WordPress dashboard is on a page or post.

For this, go open a new or old page or post and search through the Gutenberg modules. The classic WordPress interface has a Media button to upload files there.

Just about every block under the Media section in Gutenberg has an option to upload a file to WordPress. For instance, you could choose the Video block and upload a file, or the Gallery block to upload several image files.

Search for Gutenberg blocks.
Search for Gutenberg blocks.

Here’s a visual. When you choose the Image block it shows up in the WordPress blog post editor.

An Upload button appears for you to go through the same process of opening a file from your computer files and adding it to your site. As always, a file uploaded through this method is also placed in your Media Library and the wp-content folder.

Upload an image in the Gutenberg editor.
Upload an image in the Gutenberg editor.

Once the file is uploaded it also appears on your post or page, seeing as how that’s often the place you’re attempting to place it anyway.

Edit your post after uploading an image in Gutenberg.
Edit your post after uploading an image in Gutenberg.

There’s a generic Files block as well. This allows you to upload anything from HTML files to PDF documents. Use this guide if you encounter an error telling you that a file is not allowed for security purposes.

Gutenberg includes a files block.
Gutenberg includes a files block.

Overall, the dashboard is littered with areas to upload files.

You may find that a specific plugin has features to upload unique documents or media files, or even display them in certain ways. A gallery plugin provides this type of functionality, where the files uploaded get reorganized and placed into a clean gallery design.

Another example is WooCommerce. All WooCommerce stores offer product pages with several buttons to upload images and other files. For instance, you can upload a media file to the description, for the product image, and in the product gallery.

WordPress supports multiple methods for uploading images.
WordPress supports multiple methods for uploading images.

In addition, several common website design uploads are done in the WordPress Theme Customizer.

To locate these file upload buttons, go to Appearance > Themes in the dashboard.

Upload files in the themes editor.
Upload files in the themes editor.

Find your current theme and click the Customize button.

Customize the Storefront theme in WordPress.
Customize the Storefront theme in WordPress.

The next page shows the WordPress Customizer with a collection of editing tools in the menu. You can also see a preview of your website.

Everything from the Site Identity to the background tabs provide upload buttons for additional WordPress files. The advantage of working in this area is that the uploaded files are often automatically styled and formatted for you after the upload.

Customize site identity, header, footer, and more in WordPress.
Customize site identity, header, footer, and more in WordPress.

A great example is found under the Site Identity tab. This is where you upload the site logo file.

Upload a logo to your WordPress site.
Upload a logo to your WordPress site.

Another one is the Header tab, where it offers a button for uploading a header file in the form of a media item.

Add a header image to WordPress.
Add a header image to WordPress.

Finally, the WordPress dashboard provides an import tool for uploading website file collections, often for when you’d like to transfer a website’s posts and pages from another platform or a different WordPress website.

These file upload features are located under “Tools > Import” in the dashboard.

The import tool in WordPress.
The import tool in WordPress.

WordPress allows for file imports from platforms like Blogger, Tumblr, general RSS feeds, and more.

Therefore, you must select the origin of your site files to complete the upload and make for a simple site transfer.

For this tutorial, we’ll launch the WordPress Importer. Click on the Install Now button.

Launch the WordPress importer.
Launch the WordPress importer.

Once the importer is installed, click the “Run Importer” link.

Run the WordPress importer after installation.
Run the WordPress importer after installation.

Now you have the opportunity to upload an import file from your computer. Keep in mind that the success of your upload depends on the platform you’re pulling data from. For instance, the WordPress Importer requires a WordPress eXtended RSS (WXR) file stored as an .XML file.

After clicking the Choose File button, select the Upload File and Import button to complete the process.

Choose an import file in WordPress.
Choose an import file in WordPress.

Upload WordPress Files Through an FTP Client

We already covered how to access your files through an FTP client, but what about actually uploading those files while in the client?

Although each FTP client has its own unique features and interfaces, it’s usually the same idea, with two options for uploading a file to your WordPress website.

After you’re connected to both your site files and local files, drag a local file to the desired location in the WordPress directory.

Transfer a local file to your WordPress server.
Transfer a local file to your WordPress server.

Another option is to right-click the local file you’d like to upload and select the Upload button. This automatically adds the uploaded file to the current folder you have open for your site files.

Upload a file to your WordPress server.
Upload a file to your WordPress server.

The FTP client works similar to your computer, where it will ask if you’d like to replace a file with the same name.

Overwrite files in WordPress.
Overwrite files in WordPress.

Upload Files Through cPanel

The final way to upload a file to WordPress is through a host’s cPanel module. Kinsta offers its own hosting dashboard without the traditional cPanel. Therefore it’s not recommended to utilize this technique if you’re migrating to Kinsta.

If you’re wondering about using the cPanel for file uploads on another hosting account, check out our guide on uploading HTML files to WordPress, as this has a section that covers the cPanel as well.

How to Download WordPress Site Files

Downloading a WordPress site file often works in the exact opposite direction of uploading a file.

The dashboard doesn’t have many tools for downloading files from its interface, but there are a few tricks if you locate a file that needs to be placed on a local machine for use elsewhere.

Your best bet is to go to the Media Library in the dashboard and look for the desired file.

Go to “Media > Library”.

Upload to the WordPress library.
Upload files to the WordPress library.

Every item you’ve uploaded to the Media Library can be downloaded to your local device.

Therefore, search for the file you’d like to download and click on the thumbnail to open up its file details. For this instance, we’d like to download a PDF file that’s stored on the example website.

Search for a file in the WordPress media library.
Search for a file in the WordPress media library.

All Media Library items are assigned a File URL. You must go to this URL in order to download the actual file to your computer.

That’s possible by either copying and pasting the URL into a new browser window or clicking on the View Attachment Page link.

View the attachment page in the WordPress media library.
View the attachment page in the WordPress media library.

Every file type is different in how you would download it to your computer. The process also varies a bit based on your browser and the software or extensions you have installed for opening those files.

For instance, my browser opens the PDF file through a Chrome PDF extension I have installed. You may also get sent to something like Adobe Reader or have the file automatically downloaded to your machine.

In my situation, I would click on the Download icon in my browser.

Download a PDF file in WordPress.
Download a PDF file in WordPress.

Image files are usually more predictable. All you have to do is go to the image file URL, right-click on that image, and select the Save Image As option. This then asks you to name your file and choose the folder in which you’d like to place the file on your computer.

Regardless of the method or tools used, this is usually one of the fastest ways to download simple media and asset files from your website to a local machine.

Save an image in WordPress.
Save an image in WordPress.

If you’re in a situation where you need to download an XML file that contains items like posts, pages, or products, the standard solution is to go through the Export feature in WordPress.

For that, go to Tools > Export in the dashboard.

Export a backup file from WordPress.
Export a backup file from WordPress.

Identify what you want to download as an XML file. You can choose from a wide variety of elements, such as orders, products, media, coupons, and pages. You also have the option to download all content from your website.

Everything is consolidated into an XML file because this is often quite a bit of data to download from your site, and the XML file is easy to upload to a new website at a later date.

To finish the process, click the Download Export File, then place it wherever you want on your computer.

Download an export file from WordPress.
Download an export file from WordPress.

The last method for downloading a WordPress file is by going through your FTP client. Much like uploading a site file with an FTP client, downloading is completed two ways.

You could drag the file you’d like to download from the live site area to the area that shows your computer files. That simply requires you to hold down your mouse and move the file over.

The other option is to right-click the file from your WordPress site and select the Download button. Most FTP clients automatically drop that file into the computer folder you have open in the client.

Download a file from an FTP client.
Download a file from an FTP client.

How to Backup WordPress Files

A WordPress file backup is one of the most important security protocols for any developer to follow. Not only does a backup save a picture of a website at a certain period of time, but it’s available for you to restore in case something goes wrong with the site.

Technically, you could manually make a backup of your core WordPress files with an FTP client. To do so, locate the /public directory that holds all core WordPress files from that website.

Right-click on the folder and Download all files inside the directory to a location on your computer.

Backup your WordPress site via FTP.
Backup your WordPress site via FTP.

There’s nothing wrong with the occasional local download of your core files. However, there are several downsides of having this as your sole backup method:

  • It opens up the potential for human error, like choosing the wrong files, forgetting where you saved the files, or not completing the backup on a regular basis.
  • An automatic backup ensures that you always have an up-to-date version of your backup files, whereas a manual backup could be from months ago.
  • There’s still other data that requires backing up if you plan on restoring your entire website. For instance, content, like posts, need saving, as well as your database.
  • Saving to your local computer isn’t as safe as loading to a cloud environment. Ideally, you’d have a backup on both local and cloud areas.

So what are the best options for backing up WordPress files?

At Kinsta, we support six types of backups – daily, hourly, manual, system-generated, external, and downloadable backups. Other hosts may provide backups, but it’s more likely you’ll need a WordPress backup plugin. If you’re in this situation, we highly recommend opting for an incremental WordPress backup plugin, like from the list of options here.

Incremental backups ensure that file storage is optimized by only making backups when necessary, or when a change on your website has occurred. This minimizes the dozens of backup files that would otherwise occur for no reason, only cluttering up your WordPress file directory and potentially slowing down your website.

Backing Up WordPress Files in Kinsta

By default, all sites on Kinsta are backed up daily, and you can restore to a previous backup anytime in the MyKinsta dashboard.

As a short recap of the more in-depth article on initiating backups, the MyKinsta dashboard provides a Backups tab, found by going to the Sites tab, choosing your website, then clicking on the Backups menu item. Several file backup options are available to choose from. You can opt to run multiple backups for security purposes or select one that’s most convenient for you.

Kinsta provides a variety of backup types.
Kinsta provides a variety of backup types.

Click on the Manual tab to see options for backing up your site files whenever you want. There’s a limit on Kinsta for manual backups, but it’s a great option if you’re in need of an immediate backup.

Manual backups in Kinsta.
Manual backups in Kinsta.

The System Generated tab creates file backups when specific actions are completed on your site or Kinsta. For instance, the use of the Search-Replace tool, or pushing a Staging environment, triggers a System Generated backup. Essentially, it’s for situations where a backup is extremely important.

System generated backups in MyKinsta.
System generated backups in MyKinsta.

The External tab asks whether or not you’d like to activate a site file backup on a cloud system like Amazon S3 or Google Cloud Storage. These are excellent for complementary storage, if you’d like to double down on your system security to make sure a backup is safe at all times.

Check out our guide on running external backups if you plan on going this route.

Kinsta supports external backups to S3 and Google Cloud Storage.
Kinsta supports external backups to S3 and Google Cloud Storage.

The Download tab generates a downloadable backup and stores it to your computer, much like a backup done through an FTP client. The main difference, and advantage, of downloading a site zip file from Kinsta is that it also includes an SQL file with the contents of your database.

Kinsta supports downloadable backups.
Kinsta supports downloadable backups.

Restoring a File Backup

A backup restoration depends on your hosting. If using a WordPress backup plugin, you’ll need to navigate to the settings area of that plugin to find a Restore button.

It’s also possible to restore many of your site files through an FTP client, but we typically suggest utilizing a plugin or the MyKinsta dashboard for simplicity.

All WordPress site restoration strategies are covered in this article, including the following options:

  • Restoring a backup through MyKinsta.
  • Restoring a backup to a staging environment.
  • Restoring WordPress files with a plugin.
  • Restoring with phpMyAdmin.
  • Completing a WordPress backup restore with cPanel.
  • Manually restoring through the dashboard or using SFTP.

Feel free to explore all backup restoration methods in the stated article. For the easiest backup restore, consider the following steps in the MyKinsta dashboard.

In MyKinsta, go to the Sites tab.

Select the site for which you’d like to restore a backup file.

Select a site in MyKinsta.
Select a site in MyKinsta.

Click on the Backups tab. This reveals those backup options we covered before.

Backup options in MyKinsta.
Backup options in MyKinsta.

You can decide to restore a backup file from any of the backups you’ve already created, like External, Downloads, or Manual backups.

In MyKinsta, the most common is the Daily backup. Therefore, you can look at the list of previous daily backups and click the Restore To button to reveal a dropdown menu.

Identify whether you want to restore this backup to a Staging or Live site environment.

Restore backups in MyKinsta.
Restore backups in MyKinsta.

Type in the text requested by MyKinsta. After that, click the Restore Backup button to complete the process.

Confirm backup restoration in MyKinsta.
Confirm backup restoration in MyKinsta.

How to Organize Media Files in WordPress

Uploaded videos and documents and photos take up much of your site storage as time passes. The Media Library provides a continuous flow of new content, potentially more than any other part of a WordPress site. Because of this, the Media Library gets cluttered, disorganized, and potentially restricting to the site’s content creators, especially if there are many authors on one site.

WordPress offers search and filter tools in the Media Library, but these aren’t ideal solutions for a constantly growing file system.

Therefore, we suggest long-term media library management tools, many of which are outlined in that linked article.

Here’s a quick look into the top plugins for organizing your Media Library:

  • Media Library Plus – This plugin is great for creating actual folders in your library; you receive features for moving, renaming, and regenerating thumbnails as well.
  • MaxGalleria – Includes features like a responsive lightbox, an improved gallery for frontend use, and some excellent extensions for file management.
  • Enable Media Replace – This is an option for easily replacing a file in your Media Library instead of the usual process of having to delete a file and reupload another one in its place.
  • WordPress Real Media Library – Here’s a plugin with a myriad of tools for managing media folders and files. It offers options for custom image ordering, advanced uploads, and gallery creation.

How to Protect Your WordPress Directories

WordPress file permissions present one line of defense for keeping intruders away from your core files. Moving those files to alternative directories also solves problems that may arise as well.

Having said that, you also have the opportunity to password protect a directory to ensure that only users with that password are able to tap into the most important WordPress files.

The detailed process for password protection is outlined here, but we’ll cover the basic steps below as well.

  1. Make a .htpasswd file with the help of this generator.
  2. Upload the new file to the WordPress directory you’d like to protect with a password.
  3. Make an .htaccess file with the following code included in that file.
AuthType Basic
AuthName "restricted area"
AuthUserFile /www/user/public/protecteddirectory.htpasswd
require valid-user

Update that bit of code with the directory path you’d like to protect. You also want to change the path and directory names.

This is the ideal way to password protect a site using a host with Apache. Kinsta users can contact the technical support team to password-protect their files.

How to Replace WordPress Core Files

You may wonder why you would ever want to replace WordPress core files. If you’ve read any part of this article you’ve already heard a few times that touching core files is usually a frowned-upon idea.

However, replacing a core file, if not all of the core files, provides a solution for a website that’s either inaccessible or compromised. This way, you’re replacing the compromised files to ensure that none of them are carried over to the reboot of your site.

However, it’s important to already have a website backup stored elsewhere to ensure that the new core file installation can get back to what your site was before.

The good news is that many core files go untouched through the lifespan of a WordPress site. Therefore, you may have the opportunity to simply swap out the old core files for new ones (while leaving primary content and asset files) in an attempt to restore your website and turn it into what it was prior to the attack or error that caused the problem in the first place.

What’s interesting is that your WordPress core files are already being replaced in the background if you have automated WordPress updates activated. However, we want to understand how to swap out these files manually as well.

To begin, open up your FTP client and locate the public folder under your core directory. Your website files are still available even if your website is inaccessible.

Replace WordPress Core files via FTP.
Replace WordPress Core files via FTP.

Go to the WordPress.org Download page and download the most recent WordPress core files. This is a zip file, so save it to a place you’ll remember on your computer.

Download the latest version of WordPress.
Download the latest version of WordPress.

On your computer, unzip the new core files so that a regular folder sits next to it, named the same thing. Open that folder and click into the WordPress folder to reveal the new core files.

Unzip the WordPress Core package.
Unzip the WordPress Core package.

Delete the wp-content folder and the wp-config-sample.php file.

The reason for this is because we don’t want to replace the wp-content or wp-config.php files on your current website. Otherwise, you’ll end up with a completely blank reinstallation, eliminating all of the design work you’ve done before.

It’s only acceptable to replace these files if you have a full backup from the recent past.

Don't overwrite the wp-content folder and wp-config.php file.
Don’t overwrite the wp-content folder and wp-config.php file.

Without the wp-content and wp-config-sample.php files your new core files should look like this:

WordPress file structure after reinstalling WordPress.
WordPress file structure after reinstalling WordPress.

Open your FTP client and get logged into your website using the SFTP credentials found in your hosting account. More information on that can be found here.

Once connected, you can see your site files. Go to the public folder to open your current WordPress files.

On the other side of your FTP client, locate the new collection of core WordPress files. If you’re in a side-by-side view in the FTP client, both sides should appear almost identical – except for the wp-content and wp-config.php files; we removed them earlier from the local environment.

View site files in the public folder.
View site files in the public folder.

Find the wp-content and wp-config.php files in your public WordPress directory.

In this step, you want to keep those files and remove the rest. You can delete the rest of the files, but it’s usually prudent to move them to another temporary folder in case something goes wrong.

Keep the wp-content folder and wp-config.php file.
Keep the wp-content folder and wp-config.php file.

Prior to removing those files, your website may look fine on the frontend. It’s also possible you’re receiving an error and that’s why you’re completing this process in the first place.

For a demonstration, here’s what our test website looks like before removing any files:

Test WordPress site before removing files.
Test WordPress site before removing files.

Once everything is taken out, except for the wp-content and wp-config.php files, a blank page, error, or directory listing is the only thing users see on your frontend. To minimize the impact of your site being down for a moment, place a new index.php file in your site’s directory and type a maintenance message into the file.

Create an index.php file with a maintenance message.
Create an index.php file with a maintenance message.

Moving on, now it’s time to transfer all new core files into your website directory. Depending on your FTP client, this usually involves you dragging the new core files to replace the old ones or potentially uploading them from your computer.

Transfer the new WordPress Core files to your server.
Transfer the new WordPress Core files to your server.

Once that transfer is complete, everything in your public folder should look almost identical to what you had before. The only difference is that these are completely new (clean) core files, hopefully getting rid of whatever problem you had from before.

A successful transfer of WordPress core files.
A successful transfer of WordPress core files.

Be sure to check your site’s frontend after that transfer. In our test, it brought our site back to normal, keeping content and styling intact due to the fact that we didn’t replace files like wp-content and wp-config.php.

Check your site's frontend after reinstalling WordPress.
Check your site’s frontend after reinstalling WordPress.

Note: You will have to either update your database or import it from a backup. WordPress asks for you to update your database when logging back into your admin dashboard. A database backup import is also typically possible using your favorite WordPress backup plugin. Kinsta provides a backup of your database by default.

Cleaning Up Your WordPress Files

The WordPress directory and its files function like a car. Some files act as batteries, others as ignition switches, while others are more like the all-important engine. When maintained and finely-tuned, the vehicle that is WordPress runs efficiently and delivers what’s needed on a regular basis.

However, sometimes you get a faulty part, or something that simply doesn’t work the way it used to. That’s why WordPress and plugins and themes have updates. That’s why developers consistently maintain and backup sites to keep them performing well and to protect them in case something does go wrong.

As with a car, you need to keep everything from the oil to the carpets on the ground clean. Otherwise, you run the risk of creating further problems down the road.

Since the files are what usually require cleaning, we want to go over some steps you can take to ensure that your directories are limited to the essentials and that your files aren’t cluttered with junk.

Here’s a quick cleaning process to make your files shine:

  1. Delete unneeded posts and pages, along with poor-quality content that’s either a duplicate of something else on your site or something old that none of your users will find useful.
  2. Clear out spam comments to limit the load on your database and keep out intruders. The Akismet plugin is the top solution for automatically eliminating spam comments.
  3. Get rid of assets that load on every page or make your website run slowly. The WP Asset Clean Up plugin has the best features for this process, especially when it comes to decreasing the number of HTTP requests between files.
  4. Take an automated approach to clear out your database. The database is technically separate from your WordPress files, but they all work together. Consider a plugin like WP-Optimize, or one of the many Database Optimization plugins, to identify the unnecessary data entries and get rid of them for good.
  5. Optimize your media elements so they don’t make your wp-content folder the main culprit for slow load times. There are various image optimization plugins and methods to consider.
  6. Get rid of old themes and plugins. These are located in your wp-content folder, cluttering up the server and potentially slowing down the site.
  7. WordPress, theme, and plugin updates are essential for closing loopholes in your security infrastructure and to ensure your file directory works well. Make sure you’re running automated updates if possible.

Read our in-depth guide on complete WordPress site optimization to improve performance in every area of your site.


Exploring every aspect of the core WordPress files takes patience, but it’s a rewarding process that boosts your confidence while working with WordPress and allows you to make the right decisions and edits when needed. In addition, knowledge about WordPress files ensures you’re completing the necessary security and backup procedures just in case something happens with your website.

For a complete outline of the entire WordPress Root File structure, take a look at the official WordPress Files document. It explains each file in-depth and may clear up questions you have about files not covered in this article.

Let us know in the comments below if you have any questions or thoughts about WordPress files and directories!