Table of Contents [TOC]
Key Takeaways
- Importance of wp-content: The
wp-content
folder is a crucial component of a WordPress website. It houses all the website’s content, including themes, plugins, and media files. Any accidental deletion can crash the entire website. - Security Concerns: Hackers often target the
wp-content/uploads
folder to exploit vulnerabilities. They insert backdoors, which can serve as entry points for malicious scripts, leading to malware injections and potential redirection to harmful sites. - Protection Measures:
- Backup: Regularly back up the
wp-content
repository to safeguard against accidental deletions or hacks. - Rename wp-content: Changing the default name of the
wp-content
folder can add an extra layer of security. - Hide wp-content: Prevent hackers from accessing the
wp-content
folder by hiding it or restricting unauthorized access.
- Backup: Regularly back up the
- WP File Manager Vulnerability: A significant vulnerability in the WP File Manager plugin allows hackers to upload webshells hidden within images. This flaw affects versions ranging from 6.0 to 6.8, with about 52% of installations being vulnerable.
- Accessing wp-content: The
wp-content
folder can be accessed via cPanel’s file browser. It contains three main sub-folders:wp-admin
,wp-includes
, andwp-content
. The latter is the primary focus of this article. - Contents of wp-content: By default, the
wp-content
folder contains subfolders for plugins, themes, and uploads. As the site grows, more folders may be added. - Protection Tips:
- Use plugins like “WP Hide & Security Enhancer” to hide or rename the
wp-content
folder. - Manually rename the folder through cPanel, though this method is riskier.
- Use
.htaccess
files to restrict access to sensitive folders and files.
- Use plugins like “WP Hide & Security Enhancer” to hide or rename the
- The WP File Manager vulnerability affects about 52% of its 700,000 installations.
Do you know where your website’s content is stored? Have you ever heard of something called wp-content on your WordPress site and want to explore it?
A WordPress website is structured from various files and folders, out of which wp-content is a folder of utmost importance. It contains all your website’s content, themes and plugins. Accidental deletion of this folder can crash your whole website.
At WP Hacked Help, our WordPress security team often comes across WordPress sites where hackers attack WP-content/uploads folder and hack wordpress site. Because usually the website’s backend is not checked by website owners and wp-content folder becomes the most apt location to exploit. Also, they would add some secret backdoors which could serve as entry points for malicious scripts which are used to inject malware in wordpress site. This may lead to your hacked site url redirecting to malicious site.
The harm hackers can do to the wp-content is really daunting. But don’t worry!
In this guide, you will learn everything about wp-content (in wp content / uploads), covering from what this folder does. How to protect it from unauthorized access & prevent wp-content/uploads hack in 2024.
⭐ What Is The WP-content Folder?
As mentioned earlier, while the creation of WordPress website a lot of files and folders are created at the backend. Out of these wp-content folders is one of the most crucial ones.
Every image added on our website, every theme and plugin installed resides inside this folder. We can say that files that can’t be stored in the database are stored here. We will have to recreate complete website from scratch if this folder gets deleted.
Usually, this folder isn’t used by website owners but is accessed sometimes for some tasks.
WordPress stores all your image and media uploads in the wp-content/uploads/ folder. By default, uploads are organized in /year/month/ folders. Whenever you are creating a WordPress backup, you should include uploads folder.
As an example, we installed a plugin on our website. But our website suffered malfunction due to this plugin’s incompatibility with our current WordPress version. Now we can’t disable it from WordPress dashboard but we can bring our website back to normal by deleting this plugin’s folder in wp-content folder
- Index of /wp-content/uploads – This folder contains the list of uploaded files present in database and directories present in the root .
Before we know more about WP-content, Lets make you aware of some serious consequences which wp-content/uploads have.
⭐ wp-content/uploads directory
your wp–content/uploads directory should be considered a potential entry point and can be exploited for number of wordpress hacks . The biggest potential threat is the uploading of PHP files.
If you can browse /wp–content/plugins/ – the enumeration of plugins and versions becomes much easier! Exploiting this can allow an attacker to obtain sensitive information that could aid in further attacks.
Exposing files to prying eyes can reveal sensitive info as WP-content uploads contain important files. Therefore, it becomes necessary to hide these files on the server. The .htaccess file can help in securing these files. Read: Securing WordPress .htaccess file
To prevent anyone from accessing any PHP files in the wp-content/uploads
folder, you can create an .htaccess file in the wp-content/uploads
folder and add the following code to it:
# Kill PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all
</Files>
To hide sensitive files in the wp-includes
folder, add the following code to the .htaccess file in the root of your site:
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
WP File Manager vulnerability
The WP File Manager vulnerability is SERIOUS. Its spreading fast and I’m seeing hundreds of sites getting infected. Malware is being uploaded to /wp-content/plugins/wp-file-manager/lib/files
Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides.
The security flaw is in File Manager versions ranging from 6.0 to 6.8. Statistics from WordPress show that currently about 52 percent of installations are vulnerable. With more than half of File Manager’s installed base of 700,000 sites vulnerable. We will talking about this in our next post.
Hackers can exploit wp-content folder all kinds of malicious activities – steal customer data, sell illegal products, send spam emails (read – wordpress phishing hack), dupe customers into downloading malware, using black hat SEO link injection & SEO spam techniques to rank their own products (Also read – wordpress pharma hack), how hackers insert backdoor in wordpress site – the list is exhaustive. Other most common hacks include:
If your site gets hacked, Your customers won’t trust your site anymore, your site could even be blacklisted by Google, and suspended by your WordPress web host.
⭐ How To Access WP-Content Folder
The first step to being able to deal with the wp-content folder in your WordPress installation is to know how to access it (since this is not possible from “your website”).
There are two easy ways to do it, and everyone chooses which one they like the best:
Use cPanel’s file browser
it is also very good, and much faster when it comes to managing files, is to access the file explorer that you find in your cPanel.
And once inside, your WordPress installation, normally, is in the root (root) of the folder called public_html:
For your WordPress website to be visible, there are two elements that make it possible (for your website and for any WordPress website):
The MySQL database (where configurations and the text content of your website go) managed in phpMyAdmin.
The files downloaded from WordPress.org (either manually or automatically by an installer of WordPress in cPanel).
Inside the public_html folder, you will find three main sub-folders:
- Wp-admin folder –
The wp-admin folder is directly related (my face is now “obvious”) with what you see on the WordPress dashboard.
Hence, to access this independent dashboard, you have to write the address: www.yourdomain.com/wp-admin.
With this you are telling the Internet explorer on duty, to “look” what is in the root of that domain, and more specifically inside the folder called wp-admin.
Obviously, WordPress is already in charge of adding a security layer to access mentioned folder (hence it asks you for username and password to enter).
The files in this folder are not modified. All the options that you change in any plugin, WordPress preferences, or similar, are registered in the corresponding table in the database (never in the files in the folder).
- Wp-includes folder –
The wp-includes folder is somewhat more unknown to everyone but just as important.
We could simply say that this folder is like “the nervous system” of WordPress and that thanks to it, everything you see on your website works as it should.
That is, it is a folder that takes care that all that layer of “code” that you do not see, makes what you do see, works well.
- Wp-content folder –
It is the central folder of this article, and the central folder of your website, since it is where all those files that do not text itself will be stored (the text is stored in the database).
Examples of files are, for the most part, photos or images, but also pdf, audios, videos, gifs, compressed files, and any other type of files that you decide to use in the content of your website (in an article, on a page, or in any other custom post type).
Why is it important for you to know wp-content in-depth?
The wp-content folder is the only folder that will grow as you add content to your website, in the form of files, plugins, themes, etc.
Wp-content represents from the beginning, at least, 50% of your entire WordPress installation. (the more content you add, the higher that percentage will be).
As it is the only folder that “keeps changing” due to a user action or the plugins or themes you use, it means that it is the only folder that you need to safeguard (make a backup or backup) in order to “clone” your web on another server or folder on your same server.
Knowing this folder will also allow you to solve many of the main problems in typical WordPress that usually occur. (blank screen, errors with plugins, incompatibilities, etc.).
Further Reading:
⭐ What Does The Wp-content Contain?
The wp-content folder by default has three more subfolders – plugins, themes, and uploads.
However, as the WordPress site grows more plugins and themes would be added leading to the creation of more folders. To understand each, we’ve broken down directory into a few sections:
- Plugins Folder
- Themes Folder
- Uploads Folder
Other Common Folders In Wp-content:
- mu-plugins
- Languages
- Upgrade
- Specific Plugins
Further Reading:
Themes folder
All the templates that you install on your website, as well as their child-themes (“child templates”), will go to this folder.
This folder is important because if you want to make good use of it, you have to keep in mind that:
A good template (theme) for WordPress, has to come with a child template (or child theme).
If that template did not come with a theme child “, creates one.
The “parent” template, you should never touch or edit it, since its files will be replaced by new ones, each time you update said template from the WordPress control panel.
In said child theme, you will find a file called functions.php. This file is the most important of everything related to the aesthetics of your website, and it is where you will be adding different functions, when some plugins or tutorials that you do on your own, ask you for it.
Further Reading:
- WordPress Theme Security – How to Ensure Safety Of Your Theme
- Scan Malware in WordPress Themes & Plugins
Plugins folder
It is one of the most loved and most hated folders at the same time.
In theory, in a WordPress installation, there should be the minimum possible number of plugins, among other things, to avoid incompatibilities between them.
What happens in “real life” is that to make the website of our dreams, many times we have to “pull plugins” and install more than the desired amount.
As long as these plugins are of quality, and everything is optimized and monitored, in theory, everything will be fine.
Yes, it is true that, as soon as there is a problem on your website, almost 99% will be directly related to one of the plugins that you have active.
That is why it is the first place you have to go, to be able to manually “deactivate” all the plugins on the web, and activate one by one, to see which one has caused this error.
Remember that by activating the debug mode, you will have much more information about any error that occurs on your website.
Uploads folder
It is an important folder of the entire WordPress installation.
It is the one that will “get fatter” the most as your website grows in content, since, as its name says, it is where all the multimedia files that you use in your custom post will be uploaded, types (posts, pages, etc.).
The way files are stored, by default, is by “year and month” (year/month), but there are many users (including myself) who prefer that this not be the case, so that later they can find more files easily.
Many people don’t know, but this can be easily configured from the WordPress preferences in the admin dashboard:
Further Reading:
a) mu-plugins
mu-plugins are known as must-use plugins. These plugins are called so because they are very crucial for the proper operation of the WordPress site. For instance, some themes come along with necessary mu-plugins. If these plugins are disabled, our theme will not work properly which can lead to a complete breakdown of the website. These plugins are labeled as mu-plugins by the developers so that someone doesn’t disable it unknowingly.
b) Languages
We have an option to have the WordPress site created in different languages. If languages other than English are chosen, WordPress will store their necessary files into this folder
c) Upgrade
When we update our site to a newer version, a temporary folder named Upgrade is created.
d) Specific Plugins
In some cases, plugins can form their own directories on your website. They are usually present inside the wp-contents folder. For instance, we installed the WP Super Cache plugin and it has created its own folder named ‘cache’.
Depending on the hosting in which you install WordPress or the language in which you do it, you may find other default folders in your installation.
Languages (if the site is not installed in English by default).
Upgrade (it is the folder that WordPress itself uses each time it is updated to a higher version).
Some plugins have their own folders, which they install in this section. These folders are usually recommended when creating a backup for your website since they usually contain important information.
If you use a cache plugin, you may also find folders with “cache” files stored in them at this level.
⭐ How do I protect wp content uploads folder?
The following three measures need to be taken care of while protecting wp-contents and uploads folder:
- Backup Your WP-Content Repository
- Change the name of your wp-content folder
- Hide The WP-Contents Folder
Backup Your WP-Content Repository
Replicating the whole website’s data is called as a backup. This practice of backing up can safeguard us if anything wrong happens to the website from any accidental deletion to any damage caused by a hacker.
Backup plugins can be used for taking website backup. A plugin is highly recommended by us due to its flawless working while restoring backups. Moreover, it is very easy to install and takes backup of the WordPress site automatically that too within a few minutes.
You can also selectively restore wp-contents using plugins. We would recommend taking a wordpress backup manually.
Change The Name Of Your Wp-content
renaming wp-content is one step towards a safer site. By default, for all the WordPress sites, the name of the folder containing your content, themes and plugins is called wp-content. Thus it becomes easy for anyone to identify and locate it. It means a hacker can also meddle with this folder and find a way to break into the website. So it becomes highly important to protect this folder by changing its name.
It can be done by two ways – using a plugin or manually.
Recommended checklists:
- WordPress Maintenance Checklist
- WordPress Security Checklist 2020
- HIPAA Compliance Security Checklist
- WordPress Hacked Checklist
Using a Plugin (Safe)
WP Hide & Security Enhancer is a plugin which can serve the purpose for us. We recommend this plugin due to its additional features as it cannot only hide wp-content but other WordPress files too.
Manually (Not Recommended)
The renaming the wp-content folder manually requires access to your web server. We do not recommend this method because the slightest of mistakes can crash the website.
- Step1: Get access of your web hosting account and goto cPanel to access the website’s File Manager.
- Step2: Locate the wp-content folder and right-click on it. Now select the ‘Rename’ option and change the name.
Hide The WP-Contents Folder
In some cases, hackers can request for the wp-content folder with the help of malicious code with a URL inside. The URL path of this folder is generally yourdomain.com/wp-content or yourdomain.com/public_html/wp-content.
This URL path is not used inside the browser but is used inside the website’s code. Hackers craft their malicious code in order to extract this kind of information so that they can inject their own code for their benefit.
Fix Important Errors
The content of wp-content can sometimes be the cause of common WordPress errors. Specifically those caused by plugins and themes.
When that happens and your site becomes inaccessible, you might have to access the plugin folder to deactivate some of them manually and get back into WordPress backend.
For those cases we have many detailed articles on some of the most common wordpress errors, namely Getting the 503 Error in WordPress? How to Fix the 500 Internal Server Error on Your WordPress Website.
- Getting error 504 Gateway Timeout in WordPress
- Getting 405 Method Not Allowed Error in WordPress
- Getting 404 Page Not Found error In WordPress
- Getting White Screen of Death in WordPress
Final Thoughts
It is very good that you have spent a few minutes reading about the wp-content folder because we already know that this type of information is difficult to assimilate.
But think that the time you have invested today to read the article will save hours when you have any problem or doubt related to these files because you will know directly where to look, how to look, and what to do.
The wp-content folder is a very essential part of a WordPress website. Thus it needs to be taken care of properly in terms of security and backup.
There are other important files and folders also which needs to be protected. We would recommend not just protecting a few elements, but the entire website.
Starting today, make the wp-content folder your best ally for the future of your web project, and consider yourself, from now on, a WordPress user much more advanced than the average.