WordPress is now powering nearly one-fourth of all websites in the world (23.2% in 2014, according to founding developer Matt Mullenweg’s recent State of the Word address, based on W3Tech’s annual survey). But just because it’s easy to use and has a famous 5-minute installation, that doesn’t mean that you as a site owner shouldn’t take some time to look behind the curtain to be sure you are aware of how your site works, where your files live, and how you should be protecting it.

It’s important you or your developer keep your site’s core files updated and secure, and it’s also important for you to be able to back up and recover or move your files, or your entire site, should the need arise. In learning your site’s anatomy, you will be able to count yourself among the more informed and responsible site owners in a world where neglected sites will eventually be hijacked, compromised or worse, enlisted as zombies that do harm.

Even if you have a developer taking care of your site maintenance for you — and I hope that you do if you are not routinely making time to do this yourself — it’s empowering to be able to claim your ownership and independence. I encourage you to step up and do so!

First, a couple of caveats. This post is designed to describe how a basic independent WordPress installation using software from wordpress.org is put together and does not apply to those hosting their site at wordpress.com, which is a service. It’s not meant to explain special or multisite installations. I would also add that this is not a lesson on how to create or fully manage or secure a WordPress site. We’re not doing surgery. We’re just learning the anatomy.

The Server

  • The first step is to become familiar with where your website is hosted. Some popular web hosts include GoDaddy, Siteground, Bluehost, Hostgator, Media Temple, Rackspace, and there are of course thousands more.  Many hosts provide very affordable shared hosting available at a discounted annual rate. It’s important to be able to upgrade your site with more power or bandwidth should you need it. You do not have to have WordPress-dedicated hosting, although there are providers who specialize in hosting WordPress sites optimized for speed and security.
  •  Generally when it comes to web hosting, you get what you pay for, but I have also found that for many small sites, shared affordable web hosting starting at around $150/year can be perfectly fine.
  • Most WordPress installations run best on a Linux-type server running php although Windows versions running php also work. I have had some permissions and redirect challenges with some of those, however, so if you have a choice, I recommend a standard Linux/php server.
  • I recommend getting at the very least a dedicated IP address and an SSL security certificate to protect/encrypt your logins.
  • Know what kind of hosting you have (shared, virtual, cloud, dedicated) and how to reach your server via FTP. If your developer is reselling you space, be sure you know how to FTP to your site as well as how to reach your WordPress Dashboard.
  • Know where on the server your website’s home directory is located and whether your WordPress installation is at your site’s web root (in most cases if it’s running your entire site) or in a special directory of its own (for instance, if you already have a site but added WordPress for a blog or other functions).
  • Know how to log in and reach your web hosting account’s control panel if it is available. This normally will provide you with access not only to your MySQL database but also to your email account settings, logs, domain settings and much more, including access to support from your web host.  Even if you do not normally use this, it’s important you have access information to it for your records. Again, you may have a developer who is reselling you space on his/her account so this kind of access might not be fully available to you but at the very least you should have FTP access to your home directory. Generally I recommend you get your own web hosting account and provide your developer with access as needed so that you always have full ownership.

The Database

  • All WordPress sites are driven by a MySQL database configured on your server at the time of installation. This may or may not be on the same server as your website. Your database has a specific name as well as a specific username and password defining who can read or write to it. Know what these are your for site.
  • These details are written during installation to a WordPress file called wp-config.php, which tells WordPress how to connect to its database and also can define some of your site settings such as how much memory it can use. (All php files can be viewed or edited in a plain text editor). The wp-config.php file exists at the root level of your WordPress installation or, for additional security, can usually be moved one level above that.
  • It’s important to keep a backup of wp-config.php as well as a regular backup of your database, which you can obtain via your web host’s control panel, via phpMyAdmin, remote software such as Navicat (great for power users), via a special plugin installed on your website (WordPress-DBManager is a favorite of mine) or via a monitoring service such as ManageWP or others. Your database and files should also be regularly backed up by your web host.

WordPress Files

  • WordPress installs a number of specific core files and folders it needs to function. Knowing what these are can also help you spot files that don’t belong or most especially should not exist on your website.
  • It’s important during your WordPress installation to select a unique administrative username (especially NOT “admin”) and a strong password. It’s also a good idea to define a unique prefix for your database tables. Be sure you keep a record of these when you install WordPress, or be sure your developer has confirmed this has been done for your installation.
  • Your website should always be running the most current version of WordPress, available at wordpress.org or as an update from the Dashboard of your website. You can and should configure your site so that it always automatically updates its WordPress core (plugin updates can be tricker and should be performed only after backups are made).  You can download a zip file of the latest WordPress installation and extract it on your hard drive so you can become familiar with the WordPress core files.
  •  The directory named wp-content holds your website’s unique files, including media you’ve uploaded, your theme files and the various plugins that extend WordPress to do the things your site specifically needs. I recommend you obtain a full backup of your wp-content directory, or at least the files in wp-content/uploads. (Your uploads directory might be located elsewhere. Ask your developer if this is the case.)
  • The core files, themes and plugin files all are designed so they can be regularly replaced or updated from the source if the need arises (to fix a vulnerability, for instance). Be sure any customization you or your developer does for your site exists outside these directories in a child theme directory or in a custom functions file or stylesheet, or you will lose all of your site settings when an update is needed. More specific information is beyond the scope of this post, but just be aware your customizations should exist outside the core. Also helpful if you use a lot of them is a backup of your site’s widgets (helpful plugin: Widget Importer & Exporter).

The WordPress Dashboard

  • The WordPress Dashboard is what you see as a user after logging in to your site, the “back end” that displays your site’s settings and editing functions. Depending on your user level and any customization done by your developer, you may or may not have full access to all of your website settings. While it may be easiest for you to log in as an editor to create and edit posts and pages without seeing or worrying about the numerous administrative settings available in WordPress, it’s important that you also have access to a full administrative user account that is separate from your developer’s login. Even if you do not use it, it’s good to have backup admin access as long as that account is secured with a very strong password linked to an email address you control.
  • You will need more than one email address if you have more than one WordPress user account since WordPress user accounts must have distinct email addresses, but that is easy to set up.
  • WordPress user account levels/roles in descending order of control include Super Admin (all network permissions, not always present in site installations), Admin (all site settings, permission to publish content and alter site settings), Editor (can publish and edit all content), Author (can publish and edit own content), Contributor (submit content but not publish) and Subscriber (read only and manage their own profile). More about WordPress user roles here
  • It’s a good idea to export from your Dashboard the xml file that contains a text-based record of all of your site’s posts, pages, authors, comments, media and more. It takes just seconds to download from the Dashboard under Tools… Export. Having this file can help you recreate your site in an instant or easily import your content to a new location.
  • Managing your site as a WordPress Admin is beyond the scope of this post, but it’s important your site has at least one security plugin installed and running and kept up to date. Many of these have free versions that work very well, can protect your logins, log and lock out suspicious activity and notify you by email or SMS if there is a problem. They include: Sucuri, WordFence, or iThemes Security. I also recommend Clef (log in with your phone), and BruteProtect (crowdsource against bot attacks).

So there you have it, the most important information non-developers, especially, should know about their WordPress website. If you don’t have this information, ask your developer for it so you can put it in a safe place in case you need it.

My WordPress Top 5

In summary, these are the 5 most important things WordPress website owners should know in addition to having Admin access to both your web hosting account and your WordPress installation:

  1. A backup of your site’s wp-config.php file (this typically rarely changes)
  2. A backup of your database (changes often, exports as a text file named like myfile.sql or compressed as myfile.s