The Anatomy of a WordPress Install

Through my work with Tidy Repo, I often get bogged down with the micro-details of WordPress development. Every once in a while, however, I like to take a step back and think about WordPress more fundamentally. Sometimes we jump into the abyss and skip an obvious, essential and fundamental question. What is a WordPress install?

For those new to WordPress, and even those that may not be, this can be a difficult question to answer. For me, this breaks down into three parts.

The Core of WordPress
The first is WordPress core. These are the immutable files that make WordPress tick. They set up the functionality, database schemas, initial configuration and everything you see and interact with in the admin panel. What are they actually? Just a collection of PHP, JS and CSS files. They are worked on by the WordPress core team, and new functionality is introduced through these files. When you open that downloaded ZIP file, any file not in the “wp-content” folder (with a couple of exceptions) belongs to this category. When you update WordPress, these are the files that are changed. Under no circumstances should you edit, change, delete or move these files. They are built specifically to be extended from, not tampered with.

Where the Data Goes
Scaling up from there, the next point is the WordPress database. This is where everything is stored. Some time ago, the creators of the web figured out that content, things like the content of posts, usernames, passwords, general site configuration options, and many other pieces of data shouldn’t be hardcoded into the code of web pages themselves. Instead, they should be placed into a giant database, which you can think of as an incredibly powerful spreadsheet. WordPress’ database of choice is MySQL, one of the most robust and reliable relational databases out there.

wpinstall-database 2

Don’t worry too much about what that means. All you really need to know is that the content and data from your site is all placed in there. When you first set up your WordPress site, you’ll be asked to insert your MySQL credentials (host server, username and password) which will be given to you by your web host. This allows WordPress to connect with the database and insert the right tables. And there are lots of tables. There is a table for storing all of the content of your actual posts, references to image files, custom field data, etc. There is a table for storing usernames, passwords, and custom options. There is a table for storing plugin configuration options, comments, everything. When you hear of a WordPress site being attacked, it is often the database which is the target. This is because that is where all of the sensitive bits of your site are kept, like your admin password.

If there is a text field, radio button, checkbox, or any other form element anywhere on your site, it’s value is stored in the database. Then, when that data needs to be used, it is pulled back into the site. When a user visits the site, the WordPress core files look through the database, find the right post’s content, then output it on the page. Some call this a weakness. Since everything (and I mean everything) for the site is stored in one place, the database is among the harder parts of your site to understand, and the hardest to work with. Migrating a site can be difficult because properties like site URL’s and global configuration options exist alongside post content. But that’s what we have.

WP-Content: The Personal Touch
When you open the zip file from, there is one folder that will be entirely yours to customize and change, “wp-content.” Wp-content is where your plugin files, theme files, and site uploads are stored. Basically, everything that makes your site yours. Like WordPress core files, these are actual PHP, HTML, CSS and JS files, but unlike the core, it is up to you to add and edit them.


For instance when you click “Add New” in the admin panel under themes or plugins, you are downloading a file to this directory. If a plugin needs to store files locally (like a cache plugin) this is the directory they will land in. And if you want to make changes to your theme, you will have to edit files in “wp-content/themes/”.

Why keep these files in the same place? By decoupling the customizable files from the immovable ones, WordPress can introduce a certain level of security, consistency and backwards compatibility. It also makes it easy for you, the WordPress user, to keep tabs on the changes made to your site. And when you need to make a backup of your site, all you really have to do is backup the “wp-content” directory and your database, and you’re all set.

WordPress: A Symphony of Parts
WordPress’ various moving parts are kept isolated from one another, but cannot operate without each other. When a user visits your site, they are seeing the look and functionality you built yourself using files in the wp-content directory, which is pulling data and content from the MySQL database and connecting it to the page using WordPress core files. As you move through your WordPress site, this kind of exchange will always be happening. It’s what makes WordPress so powerful, but also a little daunting at the beginning. Seeing how they link up will open new possibilities, and give you the comfort to move around your site and make changes without fearing the consequences. After all, the web, and by extension WordPress, is built by those that wish to pick it apart. Why not join us?

About the Author Jay Hoffmann is a front-end and WordPress developer based in NYC working on the strange and magical web. He works as a developer at Sesame Workshop, and is an open source and side project enthusiast working with WordPress since about 2006. In 2013, he launched Tidy Repo, a curated WordPress plugin review site, and writes a weekly column as Plugin Specialist at Torque Magazine. You can find him @jay_hoffmann More by this Author