Open Ticket 
+373 79 600002 
Telegram Live Chat 
F.A.Q 
English
Русский 
Română 
Deutsch 
Français 
Türkçe 
Español 
Português 
Українська 
български 
Polski 
Indonesia 
中文 (中国) 
AdministrationWebsite Root Directory: Complete Guide to Location, Structure & Best Practices
Understanding your website's root directory is one of the most fundamental skills any web developer, system administrator, or site owner needs to master. Whether you're troubleshooting a broken page, deploying a new application, or hardening your server against attacks, everything traces back to this single, critical folder. In this comprehensive guide, we'll cover exactly what the root directory is, where to find it across different environments, how to secure it, and the professional best practices that keep websites running efficiently at scale.
What Is the Root Directory of a Website?
The root directory is the top-level folder on a web server from which all of a website's files and subdirectories are served. Think of it as the "home base" of your website — when a visitor types your domain name (e.g., www.example.com) into their browser, the web server immediately looks inside the root directory to find the appropriate file to return, typically index.html or index.php.
Everything your website needs to function lives here or in subdirectories beneath it: HTML markup, CSS stylesheets, JavaScript files, images, video assets, PHP scripts, and dynamically generated content. Without a properly configured root directory, your web server has no starting point and cannot serve any content to users.
It is important to distinguish the web root directory (the folder accessible via HTTP/HTTPS) from the server's filesystem root (the / directory on Linux systems). These are entirely different concepts. The web root is a subdirectory within the server's filesystem, deliberately scoped to limit what the public can access.
Common Names for the Root Directory
The exact name and path of the root directory varies depending on your hosting environment, operating system, and web server software. Here are the most frequently encountered configurations:
| Environment | Default Root Directory Path |
|---|---|
| cPanel / Shared Hosting | /home/username/public_html/ |
| Plesk | /var/www/vhosts/domain.com/httpdocs/ |
| Apache on Ubuntu/Debian | /var/www/html/ |
| Apache on CentOS/RHEL | /var/www/html/ |
| Nginx (default) | /usr/share/nginx/html/ or /var/www/html/ |
| XAMPP (Windows/macOS) | C:xampphtdocs or /Applications/XAMPP/htdocs/ |
| MAMP (macOS) | /Applications/MAMP/htdocs/ |
| Custom VPS Configuration | Defined in the virtual host configuration file |
On a VPS Hosting environment, the root directory path is fully customizable. You define it yourself inside the Apache VirtualHost block or the Nginx server block, giving you complete control over your server's file structure.
The Purpose of the Root Directory
The root directory serves several interconnected functions that are essential to how a website operates:
1. Central File Storage
Every file that makes up your website — from the homepage HTML to the smallest icon — is stored in the root directory or one of its subdirectories. The web server reads from this location exclusively when responding to HTTP requests.
2. Entry Point for Web Server Configuration
Web servers like Apache and Nginx are explicitly configured to point to the root directory as the DocumentRoot (Apache) or root directive (Nginx). This configuration tells the server: "Start here when looking for files to serve."
# Apache VirtualHost example
<VirtualHost *:80>
ServerName www.example.com
DocumentRoot /var/www/html/example.com/public
</VirtualHost># Nginx server block example
server {
listen 80;
server_name www.example.com;
root /var/www/html/example.com/public;
index index.php index.html;
}3. Structural Organization
The root directory acts as the parent container for all subdirectories that logically organize your website's content — separating assets from scripts, uploads from core files, and public content from private configuration.
4. Security Boundary
The root directory defines the boundary of what is publicly accessible. Files placed *outside* the root directory cannot be accessed via a web browser, which is a critical security principle for protecting sensitive configuration files.
How to Locate Your Root Directory
Method 1: Using cPanel (Shared Hosting)
cPanel is the most widely used control panel for Shared Web Hosting environments. To find your root directory:
- Log in to your cPanel account at
yourdomain.com/cpanelor via your hosting provider's dashboard. - Navigate to Files → File Manager.
- In the left-hand directory tree, look for the folder named
public_html— this is your web root. - Any file placed directly inside
public_htmlis accessible at your domain's root URL (e.g.,example.com/filename.html).
You can also verify the document root by going to Domains → Domains or Addon Domains in cPanel, where the document root path is explicitly listed for each domain.
Method 2: Using FTP or SFTP (FileZilla)
FTP/SFTP access works across virtually all hosting environments:
- Open FileZilla (or your preferred FTP client).
- Enter your hostname, username, password, and port (21 for FTP, 22 for SFTP — always prefer SFTP for security).
- After connecting, you'll land in your home directory. Look for folders named
public_html,www,htdocs, orhttpdocs. - Navigate into that folder — this is your root directory.
- The remote path displayed in FileZilla's address bar confirms the exact server path.
> Security tip: Always use SFTP instead of plain FTP. SFTP encrypts your credentials and file transfers, preventing interception.
Method 3: Using SSH (VPS and Dedicated Servers)
SSH access is the most powerful method and is standard practice on Dedicated Servers and VPS environments:
# Connect to your server
ssh username@your-server-ip
# Navigate to the default Apache/Nginx root
cd /var/www/html
# List contents to confirm
ls -la
# Find the document root from Apache configuration
grep -r "DocumentRoot" /etc/apache2/sites-enabled/
# Find the root from Nginx configuration
grep -r "root " /etc/nginx/sites-enabled/If you're running a custom configuration, the document root is defined in your virtual host file. Checking the active configuration is the most reliable way to confirm the exact path.
Method 4: Using a Control Panel on VPS (cPanel, DirectAdmin, Plesk)
If you're running a VPS with cPanel or another panel, the interface works similarly to shared hosting. The document root is typically displayed in the domain management section and defaults to /home/username/public_html/ for the primary domain.
Root Directory Structure: Best Practices
A well-organized root directory is the hallmark of a professionally managed website. Here is a recommended structure for a typical web application:
/public_html/ ← Web root (publicly accessible)
├── index.php ← Entry point / homepage
├── .htaccess ← Apache configuration (rewrites, security)
├── robots.txt ← Search engine crawl instructions
├── sitemap.xml ← XML sitemap for SEO
├── assets/
│ ├── css/ ← Stylesheets
│ ├── js/ ← JavaScript files
│ └── images/ ← Image files
├── uploads/ ← User-uploaded content
├── includes/ ← PHP includes (header, footer, functions)
└── blog/ ← Blog section subdirectory
/home/username/ ← One level ABOVE the web root (private)
├── config/
│ ├── .env ← Environment variables (NOT publicly accessible)
│ └── db-config.php ← Database credentials (NOT publicly accessible)
└── backups/ ← Backup archivesSensitive files like .env, database credentials, and API keys should never be placed inside the web root. Storing them one directory above ensures they are completely inaccessible via HTTP.
Security Best Practices for the Root Directory
Security misconfigurations at the root directory level are among the most common causes of website breaches. Follow these practices rigorously:
1. Set Correct File Permissions
Incorrect permissions are a leading cause of both security vulnerabilities and server errors:
# Set correct permissions for files (read/write for owner, read-only for others)
find /var/www/html -type f -exec chmod 644 {} ;
# Set correct permissions for directories (read/write/execute for owner, read/execute for others)
find /var/www/html -type d -exec chmod 755 {} ;
# Set ownership to the web server user
chown -R www-data:www-data /var/www/html| Resource Type | Recommended Permission | Explanation |
|---|---|---|
| Regular files | 644 | Owner: read+write; Group/Others: read only |
| Directories | 755 | Owner: full; Group/Others: read+execute |
| Config files | 600 | Owner: read+write only; no access for others |
| Executable scripts | 750 | Owner: full; Group: read+execute; Others: none |
2. Protect Sensitive Files with .htaccess (Apache)
Use .htaccess rules to block direct access to sensitive files:
# Block access to .env files
<Files ".env">
Order allow,deny
Deny from all
</Files>
# Block access to configuration files
<FilesMatch ".(ini|log|conf|sql|bak)$">
Order allow,deny
Deny from all
</FilesMatch>
# Disable directory listing
Options -Indexes3. Disable Directory Listing
If no index.html or index.php file exists in a directory, many web servers will display a full listing of its contents by default — exposing your file structure to anyone. Always disable this:
- Apache: Add
Options -Indexesto your.htaccessor virtual host configuration. - Nginx: Ensure
autoindex off;is set in your server block (it is off by default).
Always place an index.html or index.php file in every directory to prevent accidental exposure.
4. Keep Sensitive Files Outside the Web Root
This is the single most important security principle for root directory management:
- Database credentials, API keys, and
.envfiles belong above the web root. - Use PHP's
requireorincludewith absolute paths to reference them from within your application. - If you must store configuration files inside the web root, use
.htaccessrules to block HTTP access to them.
5. Implement SSL/TLS
Serving your website over HTTPS encrypts all data in transit between the server and the visitor's browser. An SSL Certificate is no longer optional — it's a baseline security requirement and a confirmed Google ranking factor. Configure your web server to redirect all HTTP traffic to HTTPS and set HSTS headers for maximum protection.
Root Directory Management for Popular CMS Platforms
WordPress
WordPress has a well-defined root directory structure that you must understand to manage the platform safely:
/public_html/
├── index.php ← WordPress bootstrap file
├── wp-config.php ← Database credentials & settings (move above web root if possible)
├── wp-login.php ← Login page (consider restricting by IP)
├── .htaccess ← WordPress permalink configuration
├── wp-admin/ ← Admin dashboard (restrict access)
├── wp-includes/ ← Core WordPress files (do not modify)
└── wp-content/
├── themes/ ← Installed themes
← Installed plugins
└── uploads/ ← Media library filesCritical WordPress root directory tips:
- Move
wp-config.phpone directory above the web root — WordPress will automatically find it there. - Restrict access to
wp-admin/andwp-login.phpby IP address using.htaccess. - Never modify files inside
wp-includes/— they will be overwritten on the next update. - Regularly audit the
wp-content/uploads/directory for malicious file uploads.
Joomla
Joomla's root directory structure follows a similar pattern:
/public_html/
├── index.php ← Main entry point
├── configuration.php ← Database & site configuration
├── .htaccess ← URL rewriting rules
├── administrator/ ← Admin panel (restrict access)
├── components/ ← Frontend components
├── modules/ ← Joomla modules
├── plugins/ ← Joomla plugins
└── templates/ ← Site templatesMove configuration.php outside the web root or restrict its access via .htaccess to prevent exposure of database credentials.
Laravel / Modern PHP Frameworks
Modern PHP frameworks like Laravel are specifically designed with root directory security in mind. Only the public/ subdirectory is exposed as the web root:
/var/www/laravel-app/ ← Application root (NOT the web root)
├── app/ ← Application logic
├── config/ ← Configuration files
├── .env ← Environment variables
├── vendor/ ← Composer dependencies
└── public/ ← THIS is the web root (DocumentRoot points here)
├── index.php
└── assets/This architecture is a security best practice — sensitive files are structurally impossible to access via HTTP.
Backup Strategies for the Root Directory
Regular backups of your root directory are non-negotiable. A single accidental deletion, failed update, or security breach can take your website offline. Here are the most effective backup approaches:
Manual Backup via SSH
# Create a compressed archive of the entire web root
tar -czf /home/username/backups/webroot-$(date +%Y%m%d).tar.gz /var/www/html/
# Transfer the backup to a remote location using SCP
scp /home/username/backups/webroot-$(date +%Y%m%d).tar.gz user@backup-server:/backups/Automated Backup with Cron
# Edit crontab
crontab -e
# Add a daily backup job at 2:00 AM
0 2 * * * tar -czf /home/username/backups/webroot-$(date +%Y%m%d).tar.gz /var/www/html/ 2>/dev/nullUsing rsync for Incremental Backups
# Sync web root to a backup directory (only copies changed files)
rsync -avz --delete /var/www/html/ /mnt/backup/webroot/Hosting Provider Backups
Many managed hosting solutions include automated daily backups. AlexHost's VPS Hosting plans include backup options that protect your entire server environment, giving you a reliable safety net alongside your own backup routines.
Troubleshooting Common Root Directory Issues
| Problem | Likely Cause | Solution |
|---|---|---|
| 403 Forbidden error | Missing index file or wrong permissions | Add index.html/index.php; check directory permissions (755) |
| 404 Not Found on homepage | Wrong DocumentRoot path in server config | Verify DocumentRoot in Apache or root in Nginx config |
| Files not updating after upload | Browser or server-side caching | Clear browser cache; check server caching headers |
| PHP files downloading instead of executing | PHP not configured for this directory | Verify PHP handler is enabled in server/hosting config |
| Directory listing exposed | Options Indexes enabled | Add Options -Indexes to .htaccess or server config |
| Permission denied on file write | Incorrect file/directory ownership | Run chown -R www-data:www-data /var/www/html |
Choosing the Right Hosting Environment for Your Root Directory Needs
The level of control you have over your root directory depends significantly on your hosting environment:
- Shared Web Hosting: Root directory is pre-configured as
public_html. Simple to use, but limited customization. Best for small websites and beginners.
- VPS Hosting: Full root access to the server. You define the document root, configure the web server, and manage all security settings yourself. Ideal for growing businesses and developers who need flexibility.
- Dedicated Servers: Maximum control and performance. The entire server is yours — configure the root directory, web server, and security stack exactly as needed. Best for high-traffic websites and enterprise applications.
- VPS Control Panels: Combine the power of a VPS with the convenience of a graphical control panel, making root directory management accessible without deep command-line expertise.
Conclusion
The root directory is the architectural foundation of every website. It determines how your web server finds and serves content, defines the boundary between public and private files, and directly impacts your site's security posture and organizational clarity. Whether you're managing a simple brochure site on shared hosting or a complex multi-application environment on a dedicated server, the principles remain the same: keep it organized, keep sensitive files out of the public web root, enforce correct permissions, and back it up regularly.
Mastering root directory management is not just a technical checkbox — it's a core competency that prevents downtime, closes security vulnerabilities, and makes your websites significantly easier to maintain and scale over time.