Below is a complete list of default WordPress files and directories that should exist on your server after WordPress installation is complete. Understanding this list of default files is important so that in the case your site is hacked (or in case your files are extremely out of date) you can quickly determine which files and folders belong and which do not. In general, it’s a good idea to re-install WordPress from scratch at least once each year, to make sure that no “deprecated” PHP files exist on your server, which can lead to serious security problems over time.
If you are not sure whether or not your WordPress contains any outdated or jeopardized files, simply delete all the files and folders from your web server (besides any media/photos uploaded to the
wp-content folder, which you must retain) and then re-install the complete WordPress package from scratch via SFTP.
The below list is up to date as per WordPress 4.4 (it may change for future WordPress versions).
/wp-admin/ /wp-content/ (do not delete any uploads/etc inside this folder!) /wp-includes/ readme.html index.php wp-activate.php wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php (appears only after WordPress installation is 100% complete) wp-cron.php wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php license.txt