While most of the files are static and content is only being changed through the database, there are still some dynamic parts of the filesystem as well.
This is a root folder of an empty server, where only WordPress is installed:
1. Folder /wp-admin
Static folder that should not be changed. This folder has all the files needed for running your WordPress administration area.
2. Folder /wp-includes
Static folder that should not be changed. This folder has all the files needed to run the core functionalities.
3. Folder /wp-content
Dynamic folder, where all the files are uploaded to.
This is the only folder which remains untouched, when updating your WordPress core files – so none of the content (subfolders or files) inside this folder would ever get overwritten.
- /wp-content/themes
All the installed themes are found in this folder - /wp-content/plugins
All the installed plugins are found in this folder - /wp-content/uploads/2024/12
When uploading media (like images and videos, or site logo) to the WordPress site, it automatically creates subfolders by year and month of when anything got uploaded. The /uploads folder is mostly for media content. Some backup plugins also upload the site backups to this folder.
When creating WordPress backups, the most important folder to back up, is /wp-content, because other folders and files are pretty much untouched the entire time and can be redownloaded from repository.
4. File .htaccess
.htaccess is a file for Apache server configuration rules. For example, this file can be used for IP banning or writing server redirection rules. This file does not have a name, it only has the extension.
Below you can see .htaccess rules about the security headers that will be written into that file, when “Add security headers” toggle is enabled in Patchstack App.
.htaccess rules can be written manually through Patchstack too: in Patchstack App > yoursite.com > Hardening > .htaccess, there is a field where those rules can be written into.
See documentation here
The rules written remotely via Patchstack App, will be written straight to this .htaccess file in the server.
5. File index.php
Index file is always the first that is ever loaded in any server. This file starts WordPress engine and includes all the neccessary files in given order.
It defines a constant WP_USE_THEMES = true, and then includes a new file called wp-blog-header.php.
6. File wp-config.php
DATABASE CONNECTION
This file contains the database user credentials, to make connection between WordPress and your database.
WP SALTS
WordPress salts are also defined in the same file. Salts are unique secret keys used to encrypt and decrypt sensitive information, like API keys. Patchstack uses the salts for the same purpose.
Part of wp-config.php file – salts are defined like this:
Some security solutions rotate the salts periodically, meaning the encryption keys get changed.
This practice will break all the functions that rely on salts.
For example, Patchstack plugin API key is stored in your own WordPress database. It is not saved in plain-text format for security reasons, and salts are used to encrypt it.
So the stored API key could look something like this 89Usd97dsau89ffesh7e83hfhdjas89. And it can be decrypted only by using the salts that it was initially created with.
OTHER wp-config.php features
wp-config.php file can also be used to tweak your WordPress in some ways. For example, you can turn on/off WordPress debugging mode, or turn your site into multisite in few lines of code.
If you enter a piece of PHP code, or a function to your wp-config.php file, you can see if WordPress is giving any errors.
define('WP_DEBUG', true);