WP-Content: A Beginner’s Guide To WordPress’ Most Important Directory


Do you want to know where your website’s content is stored? Or have you heard about wp-content and want to learn more about it for your WordPress site?

Many files and folders make up a WordPress website. One of the most important files is wp-content, which holds your website’s content as well as the themes and plugins you’ve installed. Your website will break if this folder is unintentionally deleted.

Many WordPress websites have crashed as a result of a hacker tampering with the wp-content directory, according to MalCare. Because many website owners never check the wp-content folder in the backend of WordPress, it’s an excellent place for hackers to inject malware. They also conceal backdoors that allow them to gain access to your site invisibly.

It’s scary to learn what hackers can do with the wp-content repository. But don’t be concerned!

We’ve condensed all you need to know about wp-content in this guide. You’ll learn how to use the folder and what it does. After that, you’ll discover how to hide it or prevent unauthorised users from accessing it.

TL;DR version

The wp-content directory is an essential component of your WordPress website. We recommend using a WordPress Security Plugin to keep it safe (MalCare). The plugin will search your WordPress files and folders for hackers and safeguard them. It will also take backups of your site on a regular basis and store them securely.

What Is The WP-content Folder?

A WordPress website is made up of several files and directories, as we said in the introduction. It is one of the most important folders on your website and is created by default when you develop it.

This folder contains every image you submit, as well as every theme and plugin you instal on your website (more details in the next section). In other words, any files that don’t make it into the database are kept here. Your website will break if the folder is destroyed, and you will have to recreate it from the ground up.

This folder is rarely used by website owners. However, there may be times when you need to use it.

For example, we have a plugin installed on our WordPress website. However, the plugin caused the site to malfunction because it was incompatible with the WordPress version we were using. On the WordPress dashboard, we were unable to disable it. In order to access our site, we had to delete the plugin from the wp-content folder.

Read this book if you haven’t already: Understanding WordPress File Structure and Database: A Beginner’s Guide

How To Access The WP-Content Folder

You’ll need to go to the WordPress root directory to get to the wp-content folder. Here’s what you should do:

1. Go to your site hosting account and log in (e.g. WP Engine).

2. Log in to cPanel and select File Manager.

3. Look for a folder called ‘public html’ in this location. This folder, which is located on your web server, contains WordPress files and sub-folders that collectively contribute to the functionality and appearance of your website.

4. There are three main sub-folders in the public html folder:

  • wp-admin — Contains files that control who has access to your WordPress panel and what rights they have.
  • wp-includes — Contains files relevant to your WordPress site’s rules, hierarchies, and settings.
  • wp-content – Contains your website’s themes and plugins files and media uploads (in wp content / uploads).

We’ll look at the wp-content folder today and see what it does for your website. We’ll go over the subfolders and files in the wp-content folder in the next section.

What Does The Wp-content Contain?

A normal WordPress site’s wp-content folder has three further subfolders: plugins, themes, and uploads.

More folders may be created as WordPress sites grow and include more plugins and themes. To make things easier, we’ve divided this section’s directory structure into four parts:

    1. Plugins Folder
    2. Themes Folder
    3. Uploads Folder
    4. Other Common Folders In Wp-content
        • mu-plugins
        • Languages
        • Upgrade
        • Specific Plugins

Plugins Folder

Plugins are available for installation on your WordPress website. This folder contains all of the active and inactive plugins that you have installed on your WordPress site. You’ll see rules and configuration files for the plugins installed if you open any of the directories. It’s possible that tampering with this folder will cause the plugins to perform incorrectly.

If you are unable to instal a plugin on your dashboard, knowing how to access this folder will come in handy (admin panel). You can copy and paste the plugin’s zip file into this folder. To activate the plugin on your site, you must first extract the zip file.

Similarly, you can delete or disable a plugin using the folder. A plugin may occasionally produce a compatibility issue, leading the website to malfunction. If you can’t turn off the plugin from the dashboard, go to this folder and turn it off manually.

Making modifications directly to this WordPress folder is extremely hazardous, so we do not encourage utilising this manual way. A minor blunder can cause your site to go down. Only use this strategy if you have no other options.

Themes Folder

This folder, like the plugins folder, contains all of your site’s themes. It can be used in the same way as the plugins folder.

This folder appears when you instal a theme in your WordPress dashboard.
After that, we examined the themes folder, and an automatic sub-folder titled ‘astra’ was created:

Themes can also be copied into this folder and made available on your dashboard. You may also delete themes from this page.

Uploads Folder

Everything that is uploaded to your site is saved in this folder, as the name implies. Images, videos, and other items such as PDF documents, MS Word documents, and GIFs are all included.

These media files are automatically organised into subfolders based on the year and month they were added to the site. It can be compared to a media library.

This is how a WordPress site’s wp-content folder is set up by default. Additional folders are frequently added to WordPress blogs as they grow and evolve. We’ve enumerated them briefly below:

Other Common Folders Inside Wp-content

In the wp-content folder, four more folders are frequently created.

a) mu-plugins

Must-have plugins are mu-plugins. These plugins are essential for the proper operation of your WordPress site and are considered must-haves. A plugin, for example, may be included with a theme. It’s possible that disabling the plugin will ruin the theme and, as a result, your website. As a result, developers label them as mu-plugins so that you don’t accidentally disable them. If you have any such plugins on your site, they will be kept in this folder.

b) Languages

WordPress allows you to construct websites in a variety of languages. WordPress will save the language files in this folder if you want to use a language other than English or several languages.

c) Upgrade

When you upgrade your site to a new version, WordPress creates a temporary folder.

d) Specific Plugins

Plugins might sometimes generate their own directories on your site. They do this by making their own folders within the wp-content folder. The WP Super Cache plugin, for example, adds its own cache folder.

You can see that the wp-content repository on your website contains important information. As a result, it should be safeguarded at all times.

We’ll go over the steps you may take to protect this folder from being tampered with or destroyed in the next section.

How To Protect WP-content Or The Uploads Folder?

To safeguard your wp-content and uploads folder, you must take three steps:

  • Make a copy of these folders for safekeeping.
  • The name of your wp-content folder should be changed.
  • Block the folder from appearing in the index of your website.

Backup Your WP-Content Repository

A backup is a duplicate of your website that may be used to restore it to its original state if something goes wrong, such as if you remove a file by accident or if hackers tamper with the folder.

The BlogVault backup plugin can be used to create a backup. It’s simple to set up and will take a comprehensive backup of your WordPress site in just a few minutes. We recommend BlogVault because when you restore it, it will always work.

You may also use the plugin to restore your wp-content selectively.

Change The Name Of Your Wp-content

As we all know, the folder where your content, themes, and plugins are stored by default is called wp-content. This name is used on all WordPress sites, making it simple for anyone to recognise and locate the folder. This means that if hackers manage to gain access to your site, they will be able to quickly locate this folder because it is entitled ‘wp-content.’ You can secure this folder by renaming it.

There are two methods for accomplishing this: through a plugin or manually.

A. Using a Plugin (Safe)

WP Hide & Security Enhancer is a plugin that we recommend for this. It gives you a simple way to hide not only your wp-content, but also other crucial WordPress files.

This plugin is fantastic because it walks you through the procedure step by step. It’s simple to use for both beginners and experts. In addition to wp-content, you can use various security features on your site to safeguard your comments, authors, uploads, and more.

B. Manually (Not Recommended)

To manually rename your wp-content file, go to your web server’s folder and make the necessary modifications. We strongly advise against utilising this strategy because even the tiniest error could cause your site to crash.

Step 1: Log in to your hosting account. Go to cPanel and open the File Manager for your website.

Step 2: Select ‘Rename’ from the right-click menu of the wp-content folder.

Step 3: Change the name of the folder. Make sure it’s unique and not already in use on your website.

3. Hide The WP-Contents Folder

Hackers may request your wp-content repository using malicious malware that includes a URL. Yourdomain.com/wp-content or yourdomain.com/public html/wp-content is the most common URL route for this folder.

In your browser’s address bar, this URL route isn’t used. Rather, it’s employed in your website’s coding. Hackers write harmful code to access this folder’s data or inject their own harmful code.

Outsiders will be unable to access this URL path. It will only be accessible to people who are signed onto your main WordPress dashboard. You can use the same plugin we discussed earlier or do it manually to accomplish this.

A. Using a Plugin (Safe)

Using two clicks, you may restrict the wp-content URL path with WP Hide & Security Enhancer.

Simply go to the ‘Block wp-content URL’ option and click yes. The plugin will block your wp-content URL path once you save your adjustments.

B. Manually (Not Recommended)

This solution necessitates the addition of code to the.htaccess file. Manually editing your WordPress files is quite dangerous. A one minor mistake can cause your website to misbehave or even crash. That being said, if you still want to give it a shot, here are the steps:

Step 1: Log in to your hosting account. Go to cPanel and open the File Manager for your website.

Step 2: Go to the wp-content folder and create a new file with the name.htacess.

Step 3: Select ‘Edit’ from the context menu when you right-click this file. Copy and paste the code below, then save your modifications.

Allow or deny the order

Deny it to everyone.

Allow from everyone.

If you can’t view your.htaccess file after it’s been created, go to Settings and select ‘Show Hidden Files.’

Step 4: The folder wp-contents will be hidden. If you go to https://www.yourdomain.com/wp-contents and try to access your file, you should get the following error:

  • With that, we’ve completed our discussion of your WordPress site’s wp-content and uploads folders. We’re confident you now understand what this folder performs, where it can be found, and how to safeguard it.
  • Your WordPress site’s wp-contents folder is more than just a storage location for your content. This tutorial will teach you everything you need to know about it.

Last Thoughts

Your WordPress site’s wp-content folder is an essential component. This emphasises the importance of implementing WordPress security measures to guarantee that it is safeguarded and backed up.

Aside from the wp-content folder, there are a number of other important files and folders that must be protected. We propose that you protect your complete website, not just one or two sections.

Installing the MalCare Security Plugin is recommended for this. It will check your site for malware on a regular basis and notify you if anything suspect is found. You may also take a full backup of your site on a regular basis and store it away in a secure location.