WordPress folder structure

WordPress is the most popular blog engine. It is very easy to install and require almost no configuration changes to work on most servers. Shared hosting providers like GoDaddy even provide a One-click install to get it up and running. However unlike other frameworks, all of WordPress internal files are exposed. They are .php files so you can't see the content by accessing the URL path but there are situations where the file content can be exposed. Moving these files out of the root folder would be a good idea.

Exposing the files

For WordPress to work, you copy the code base to a folder accessible through the web root. It may be the root folder itself. So your blog may be accessible through the URL like this:


This on its own is not a problem. When you access these URLs you are going through the index.php file which will load the correct modules to display the blog. However there are other files you don't want users to access. The wp-config.php file holds some very important information. Like the database username and password.


With the URL above you can access the file directly. Luckily it is a PHP file so the server interprets it and prints no content on the page. BUT! In some scenarios, the content of the file is made available to the public. A lot of text editors create temporary copies of a file when it is edited. For example, I use gedit to modify some files sometimes. When I edit wp-config.php a temporary file called wp-config.php~ is created. When the program is closed the temp file is supposed to be automatically deleted, but on some rare cases like application crashing it doesn't delete it. Now when you copy the folders to your server you end up copying these temp files too.


This file Will not be interpreted as a PHP but as a text file instead and the content will be printed on the page and all your credentials will be revealed. If you use the vim text editor the temp file will have a .swp extension, also accessible as a text file.

These cases are not as rare as you might think. Any vulnerability is a vulnerability and if it can be avoided then might as well.

Moving WordPress core code to a non web accessible folder

WordPress makes everything accessible to facilitate installation. This is a good thing, but it is much more secure to make core files not available to malicious users. Here is a structure that could be more secure:

WordPress with different folder structure

With this structure, only the http folder is accessible through the URL. Files that needs to be accessed directly from the URL can be moved to the http folder. Example: wp-trackback.php and xmlrpc.php. The core files will be tucked away in a safe place where only you have access.

This is just one thing that can be improve WordPress. From the user perspective nothing needs to change.

Maybe in WordPress 4.0

It would be great if WordPress 4.0 developers can take a look at the structure of frameworks like Symfony or Zend (only the structure. I repeat, only the structure).

WordPress with MVC structure

I hope WordPress developers consider taking this approach. But then again it is an open source project I can simply fork it and start working on it... maybe.


marco :

The reason the wordpress has it's current structure is because it is much easier to support on shared hosting machines. Adding symlinks like the example you provided may be much harder to change themes.

Think of the user that has no experience as a developer and don't intend to be one. He just want to get a blog and start writing.

Let's hear your thoughts

For my eyes only