Is this a security breach??

That depends on how sensitive your media library content is in WordPress. As long as you don't store private media there, it isn't a big issue. In other words, if you have scanned images of cheques, photo ID... you're making a big mistake storing them in your WordPress media library even if you don't link to them on any of your pages. It is nice that the web server doesn't usually list all files when going here: /wp-content/uploads/ Listing all files would be unnecessarily revealing even if accessing each individual file isn't a big problem. Here is an article to prevent access to that directory more: https://www.getastra.com/blog/cms/wordpress-security/hide-wp-includes-wp-content-uploads-from-your-wordpress-site/ You asked about reading and editing .php files in the website. It would be pretty bad if that didn't require signing into the WordPress dashboard. I don't think that's a really bad thing if your WordPress credentials are very hard to guess. It is a bit like how you could also edit the .php files in cPanel or FTP if you had the right credentials. If I had something very sensitive to put in a website, I would avoid WordPress because WordPress has a lot of compromised plugins and security problems. The most sensitive thing WordPress is somewhat suitable for is online ordering and online purchasing. Even with that, you need to be proactive about plugin updates and maintenance because WordPress and the plugins are so popular that they become targets for malicious hackers.