Hello friends. Very often, when answering questions from readers, you have to face the fact that when asking questions about the various functionality of themes or plugins, many do not even imagine the basic structure of their site on the server. This is surprising, but true. In this article, we will look at the basics of the most important, standard WordPress folders, paying special attention to the root files, on the basis of which your site actually works.
WordPress Directory Structure
The WordPress file structure is very simple. Do you have a folder public_html, where there are usually three key folders, as well as many other important files, including wp-config.php And .htaccess
To access files and folders, you can use file manager cPanel from your hosting service or any regular
For this review we will use the most popular ftp client - FileZilla. This is what the folder should look like public_html inside:
Before we look at these top three folders, let's look at the files that are inside public_html just for fun. First of all there is .htaccess, with which you can control the structure of permalinks, files and folders, as well as manage access rights to them in your WordPress installation. This is what it looks like standard file .htaccess without any changes:
# BEGIN WordPress
Then, there is a file that by default represents your home page, unless, of course, it is replaced by pages like front-page.php or home.php:
Another required file in this directory is wp-config.php. This file Allows you to set up basic WordPress configuration, including database settings MySQL, secret keys, and database prefix information. This is what your database settings should look like:
// ** MySQL settings- You can get this info from your web host ** // /** The name of the database for WordPress */ define("DB_NAME", "notarealname"); /** MySQL database username */ define("DB_USER", "notarealuser"); /** MySQL database password */ define("DB_PASSWORD", "notarealpassword"); /** MySQL hostname */ define("DB_HOST", "localhost");
Other notable files in this directory are wp-activate.php, And wp-signup.php, which are collectively responsible for the registration, authorization and confirmation process of user registration. File wp-comments-post.php is responsible for the commenting function and preventing duplication of content, while wp-settings.php is responsible for setting some WordPress variables.
As is clear from the name of the folder, this is where the admin tools are located. For example, admin.php(the heart of this folder) allows you to associate the installation with a database, displays the WordPress control panel and offers other key functions, such as checking whether this user administrator. If the user is an administrator, then the use of the file is enabled wp-load.php which in turn downloads the file wp-config.php:
/** * In WordPress Administration Screens * * @since 2.3.2 */ if (! defined("WP_ADMIN")) ( define("WP_ADMIN", true); ) if (! defined("WP_NETWORK_ADMIN")) define( "WP_NETWORK_ADMIN", false); if (! defined("WP_USER_ADMIN")) define("WP_USER_ADMIN", false); if (! WP_NETWORK_ADMIN && ! WP_USER_ADMIN) ( define("WP_BLOG_ADMIN", true); ) if (isset($_GET["import"]) && !defined("WP_LOAD_IMPORTERS")) define("WP_LOAD_IMPORTERS", true); require_once(dirname(dirname(__FILE__)) . "/wp-load.php");
If you pay attention to the names of these files, you will realize that most of them tell the user about the functions they perform that are familiar to you from the WordPress admin. For example, profile.php displays the user profile administration screen, theme-install.php controls the theme installation panel, and plugin-install.php does the same for the plugin installation panel.
As for other important folders inside wp-admin, That images filled with pictures that are used in the WordPress admin panel, css and js are “homes” for CSS code and JavaScript scripts, and network includes PHP files required for WordPress multisite functionality
This is probably where you spend most of your time working with WordPress, as this is where the most used files and features are collected, namely themes and plugins:
Each plugin you download has its own folder in this shared folder, as seen in the example above. The content of each folder, of course, varies from plugin to plugin. Here, for example, is what the folder of the popular Akismet plugin looks like.
If you experience any problems, you should use FTP access to disable extensions. This can be done by deleting or simply temporarily renaming the folder with the conflicting plugin.
Just like with plugins, each theme has its own subfolders. If we open the folder with any theme, we will see there are many PHP files that together create appearance and the structure of your topic. Let's take the famous Divi theme from Elegant Themes as an example, in the main folder of which we will find the files , a functions.php, a sidebar.php, And style.css, among the rest. Divi also has separate folders for css, images and theme js, which is pretty standard for most quality themes. But be that as it may, some other folders are quite unique, for example, epanel And et-pagebuilder:
Another folder is wp-includes, and it's quite big. wp-includes contains all those files that are not included in the previously described folders. Relatively speaking, it is thanks to this folder that the site works like a clock.
The folder is so important because this is where most of the WordPress core files are located. A new WordPress installation contains 140 different files in the main directory and 14 different folders(at the time of writing), including certificates, fonts, js and widgets.
But these subfolders are not as important as the files that are in the main directory, for example, functions.php. This small file is an important part of WordPress core as it contains many of the most different functions, which allow WordPress to work stably. For example, the line of code data is the first thing you will see if you open this file, and this function is needed to transform the data into other formats.
/** * Convert given date string into a different format. * * $format should be either a PHP date format string, e.g. "U" for a Unix * timestamp, or "G" for a Unix timestamp assuming that $date is GMT. * * If $translate is true then the given date and format string will * be passed to date_i18n() for translation. * * @since 0.71 * * @param string $ format Format of the date to return. * @param string $date Date string to convert. * @param bool $translate Whether the return date should be translated. Default true. * @return string|int|bool Formatted date string or Unix timestamp. False if $date is empty. */ function mysql2date($format, $date, $translate = true) ( if (empty($date)) return false; if ("G" == $format) return strtotime($date . " +0000"); $i = strtotime($date); if ("U" == $format) return $i; if ($translate) return date_i18n($format, $i); else return date($format, $i); )
Other key files- This cache.php(manages the process of adding and removing data from the cache, and is also responsible for closing or restarting it), links.php (functionality that is responsible for WordPress links) and version.php (responsible for the WordPress version).
I really hope that this article will allow beginners to gain a basic understanding and knowledge of the structure of your WordPress site. Agree - not every driver needs to be a car mechanic, but everyone who drives should know where the engine is in the car and where the suspension is. Well, that’s true, by the way :)
I often hear that SEO experts advise removing the endings .html, .php and .htm in the addresses of your sites - supposedly this negatively affects promotion. Some say that this simply visually adds extra garbage to the address.
In any case, it’s up to you to remove or leave these endings, but I’ll show you how to implement this on a static site (that is, a site not located on a CMS). Why only on static? Because for different CMSs this is implemented using different methods, which I will also talk about in subsequent articles.
I don’t say 100% that this method will not work on any CMS - try it and report the results in the comments.
Removing .html, .php and .htm on Apache
As you know, in Apache there is a .htaccess file, which contains a set of server settings and configurations. With its help, we will remove unnecessary endings.
1. Connect to the site via FTP and find the file in the root of the site .htaccess. Open it. If such a file does not exist, create it.
2. Find the line containing:
RewriteEngine On
Immediately after it, insert the following rules.
If you need remove.php:
RewriteCond %(REQUEST_FILENAME) !-f RewriteRule ^([^.]+)$ $1.php
If you need remove.html:
RewriteCond %(REQUEST_FILENAME) !-f RewriteRule ^([^.]+)$ $1.html
If you need remove.htm:
RewriteCond %(REQUEST_FILENAME) !-f RewriteRule ^([^.]+)$ $1.htm
If the line " RewriteEngine On" is missing from the file - add it at the very beginning.
Then save the changes and send the file back to the site. If previously the addresses on your website looked like
https://www..php
then you can now open this page at:
https://www.
Removing .html, .php and .htm on Nginx
1. To make a similar setup in Nginx, open the configuration file at:
/etc/nginx/nginx.conf
via FTP (if your permissions allow) or through the server control panel.
If you need remove.php:
Rewrite ^/([^.]+)$ /$1.php break;
If you need remove.html:
Rewrite ^/([^.]+)$ /$1.html break;
If you need remove.htm:
Rewrite ^/([^.]+)$ /$1.htm break;
If something doesn’t work out for you during the setup process, write about it in the comments.
1 year ago | 9.0K
To promote a website on the Internet, through search engines, optimizations are necessary. When creating a website, a situation may occur when the page opens at /blog/index.php and /blog/. This situation will negatively affect the positions of your site in search engines.
In this article we will look at how to use the .htaccess file (if you have an Apache web server) to get rid of duplicate content.
Should I leave index.php in the address bar of the site or should I remove it?
To answer this question, compare the two website URL options in address bar browser.
Example 1:
https://YASH_SITE.COM/blog/index.php?p=13s332kkxs
If you look at the URL as a whole and the GET parameter after index.php, it is difficult to imagine what article may be located on this link and when indexing the site, search robots also take into account keywords in the site URL.
Example 2:
https://YASH_SITE.COM/blog/how-to-use-index-php/
In this option, the site URL looks human-readable and if you look at this URL, you can understand that this address contains an article about using the index.php file.
This type of link is called CNC and stands for human-readable URL, or English language User Friendly URL. In order for all the links on your site to be CNC, it makes sense to remove index.php from the GET request of your site pages.
How to hide index.php using .htaccess
Removing index.php from your site's GET request is very easy. To do this, if you are using apache web server, create or edit in root directory your site's .htaccess file by entering the following code into it:
RewriteEngine On RewriteCond %(REQUEST_FILENAME) !-f RewriteCond %(REQUEST_FILENAME) !-d RewriteRule ^(.*)$ /index.php?/$1 [L]
All you know is that the page " index.php" opens by default. That is, when you point to URL directory path, for example like this: " http://site.ru/mydir/", then the server returns the file " index.php" from this directory. If this file does not exist, then " index.html" or " index.htm". If they are not there, then either the contents of the directory or an error are displayed 403 ("Forbidden"), depending on the server settings. But sometimes it is required override default page and return a completely different file from the directory. It is for this purpose that it is used DirectoryIndex in .htaccess.
Let me give you an example using DirectoryIndex in .htaccess:
DirectoryIndex index.html index.htm index.php
Thus, the following will happen: when accessing the directory, a file will be returned index.html, if it is not there, then index.htm, and if it’s not there, then index.php. That is, we not only determined the files that should be opened by default, but also their priority.
You can do the same use DirectoryIndex in .htaccess:
DirectoryIndex mainpage.html
Then none of the files" index"will not open by default, but the file will be given by the server" mainpage.html". In general, as you can see, " DirectoryIndex" is a very interesting directive that can sometimes be used beautifully, although, of course, it is required quite rarely.
Many articles have been devoted to the advantages of FollowSymLinks; I want to tell you about the dangers of setting it up incorrectly.
We will talk about servers running Apache.
FollowSymLinks is a “second hack” tool. You need at least an account (your own or a hacked one on the server) and preferably php.
What does FollowSymLinks do? When viewed in a browser, makes a symlink identical to the file it points to. The bad thing is that FollowSymLinks does not check in any way who owns the file. At the same time, Apache itself has access to the web files of all users.
Let's get started!
Let's look at the path to our script on the website (http://nash.site/)
let it be /home/nash/public_html/view/some.php
first we try to get a list of directories from /home/ using php
and we find three directories there:
vasja
petja
costja
We write to our some.php:
symlink("/home/vasja/public_html/nidex.php", "vasja.txt");
symlink("/home/petja/public_html/nidex.php", "petja.txt");
symlink("/home/kostja/public_html/nidex.php", "kostja.txt");
We call nash.site/some.php and get three symlinks.
We create in our view directory .htaccess with the content:
Options all
Options +Indexes
Options -SymLinksIfOwnerMatch
Options +FollowSymLinks
DirectoryIndex other.html
And we try to look in the browser
nash.site/view
If three other users have sites in PHP and the server is vulnerable, then it is more likely that by clicking on the .txt files you will be able to read the contents of their index.php
Happened? We make a symlink to “config.php/wp-conwig.php/settings.php” in their directories, we get passwords for mysql. Install adminer and connect to the database. This is enough to break almost any website on a vulnerable server.
How to solve a problem?
Use not FollowSymLinks, but its analogue SymLinksIfOwnerMatch, which checks the owner of the file and symlink.
That's all? So simple?
No. With "AllowOverride All" the user can disable SymLinksIfOwnerMatch and enable FollowSymLinks. You will have to write inconvenient constructions instead of “AllowOverride All”:
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,SymLinksIfOwnerMatch,MultiViews,None
This, however, will cause the sites of users who are registered to crash.
Options +FollowSymLinks
in .htaccess. And there are many of them. Almost everyone on Joomla/Drupal.
There is also an option with a patch for apache so that it considers all FollowSymLinks as SymLinksIfOwnerMatch. Directadmin and possibly other control panels went this way. I will be glad if you help me collect information.
Bottom line. The vulnerability is old and requires an account on the server. It occurs frequently and allows almost the entire server to be compromised.
Tags: apache, website hacking
This article is not subject to comment because its author is not yet
Loading...
