When you connect to your Web60 site using the File Manager, SFTP, or the terminal, you will see a set of files and folders that make up your WordPress installation. This guide explains what each one contains and which ones are safe to work with.
Your site root
Your site root is the top-level directory you see when you connect. On Web60, this is the htdocs/ folder for your site. Everything inside it is your WordPress installation.
Folder overview
| Folder | What it contains | Safe to edit? |
|---|---|---|
wp-content/ | Your themes, plugins, uploads, and custom code | Yes. This is where most of your work happens. |
wp-admin/ | WordPress admin dashboard files | No, managed by WordPress core updates |
wp-includes/ | WordPress core libraries and functions | No, managed by WordPress core updates |
Inside wp-content/
The wp-content/ folder is the most important directory for site owners. It contains everything specific to your site.
| Folder | What it contains |
|---|---|
wp-content/themes/ | All installed themes. Your active theme and any inactive themes live here. |
wp-content/plugins/ | All installed plugins. Each plugin has its own subfolder. |
wp-content/uploads/ | All media files you upload through WordPress, including images, PDFs, and videos. Organised into year/month subfolders (e.g., uploads/2026/03/). |
wp-content/mu-plugins/ | Must-use plugins that are always active. Web60 places platform plugins here. Do not modify these files. |
wp-content/languages/ | Translation files for WordPress, themes, and plugins. |
wp-content/cache/ | Cached files generated by caching plugins. Safe to delete because they will be regenerated. |
wp-content/debug.log | WordPress error log (only present when debug mode is enabled). Useful for troubleshooting. |
Important files in the root directory
| File | What it does | Safe to edit? |
|---|---|---|
wp-config.php | Database credentials, security keys, and core settings | No, managed by Web60 and protected from SFTP access |
.htaccess | URL rewrite rules and redirects | Use with caution because incorrect changes can break your site |
index.php | WordPress entry point | No, do not modify |
wp-login.php | WordPress login page | No, do not modify |
xmlrpc.php | Remote publishing interface (blocked by default on Web60) | No, do not modify |
wp-cron.php | WordPress scheduled task runner | No, do not modify |
What you can safely change
- Upload themes and plugins to
wp-content/themes/andwp-content/plugins/ - Edit theme files in your active theme folder (child themes recommended)
- Upload media to
wp-content/uploads/(though it is usually easier through WordPress) - Edit
.htaccessfor custom redirects (take a backup first) - Delete cache files in
wp-content/cache/if you need to clear cached data manually
What you should not change
- WordPress core files in
wp-admin/andwp-includes/, which are overwritten by updates - wp-config.php, which is managed by Web60 for security
- mu-plugins, the platform plugins that Web60 relies on
- Any file you do not recognise. Take a backup and ask support before deleting.
Need help?
If you are unsure about a file or folder, visit our support page or email hello@smarthost.ie.
Frequently asked questions
Can I delete files I don't recognise?
Do not delete files unless you are certain they are not needed. Many WordPress core files have names that may look unfamiliar. If in doubt, take a backup first and check with support before deleting anything.
Where are my uploaded images stored?
All images and media you upload through WordPress are stored in wp-content/uploads/, organised into year and month subfolders.
What is wp-config.php and can I edit it?
wp-config.php contains your site's database connection details and other critical settings. Web60 manages this file for you. It is protected and cannot be downloaded or overwritten via SFTP.
Where do I upload a custom theme or plugin?
Upload themes to wp-content/themes/ and plugins to wp-content/plugins/. You can also install them through the WordPress dashboard without using SFTP.
Last updated: 25 March 2026