WordPress updates can be applied manually or automatically. The default behaviour is for smaller security related updates to be applied automatically, and bigger updates are left for you to apply manually when you are ready. This can however be customized according to your preferences – we don’t recommend turning off the automatic security updates.
However the updates are applied, and no matter what kind of update it is, WordPress will overwrite all of it’s own files.
There are however some folders which WordPress will not touch (for reasons that will become obvious).
The short version is that everything in the wp-content folder will be safe from being deleted or overwritten.
This includes of course the folders that are within that folder, so your themes, plugins and uploads folders are safe (otherwise your website would break every time WordPress was updated!).
Just to be clear, this does NOT mean WordPress won’t touch anything in wp-content, because it will. WordPress can (and does) add plugins and themes into the relevant folders here – they won’t be activated of course, but don’t be surprised if a new theme shows up that you didn’t install (named after the year for themes designed by WordPress)! WordPress will also create files in wp-content as part of it’s normal operation.
These are not the only folders in wp-content either though. You may also see cache, language, mu-plugins and upgrade – these are best left alone unless you know what you’re doing.
So if you have other files that need to be accessible online the wp-content folder is the place to store them, preferably in uploads or a new folder specific to the purpose, and if a plugin gives you a filepath option for where to store files it creates (e.g. NextGEN Gallery) then you probably want to make sure it’s pointing to somewhere in wp-content. Pointing it somewhere unexpected can mean files are missed when backing up your WordPress site.