When you first install WordPress or upload any files using an FTP Client, such as FileZilla, it's more secure to connect via SFTP.
Why upload WordPress files using SFTP?
The majority of FTP Client users connect to their server via FTP. Unfortunately, using this method uploads your files in plain text format.
This poses a security risk. Use SFTP instead of FTP so that it eliminates the security concern of using FTP. Whereas SFTP encrypts both commands and data, which prevents passwords and sensitive information from being transmitted over the network in clear format.
For example, when you upload your wp-config.php file it contains your database name, username, password, host and table prefix. That's information I certainly don't want to share and I'm sure you don't either.
Instead, connect to your server via SFTP – SSH File Transfer Protocol. Using SFTP encrypts your data (looks like a bunch of garblely gook) during the upload process, making it much more secure. For more information on SFTP and encryption, click here.
How to upload WordPress files via SFTP using FileZilla
- Download and install FileZilla.
- Open Filezilla (Start > All Programs > FileZilla).
- From the File menu, click on “Site Manager” (top left corner of program).
- Click the “New Site” button (bottom left of Site Manager window).
- Give your site a name so it displays on the left.
- On the right fill in your “Host” (generally your url or site's ip address without any http://www. For example: wpsecuritylock.com).
- Enter in the “Port” number that your hosting provider uses to connect via SFTP. Generally 22. (HostGator uses 2222).
- Click the dropdown next to “Server Type” and choose SFTP (second option down).
- Change the dropdown next to “Logon Type” to “Normal.”
- Enter in your User name.
- Enter in your Password.
- Click the “Connect” Button.
- After the server connects the first time, you will see a popup with the SSL certificate for the server. Click “Yes” to accept.
- If you successfully entered in your information, you will be connected via SFTP. You can verify this by looking at the top left corner above “File” and see your site name – sftp://yourhost:22.
Here's a sample screen shot connecting to SFTP with FileZilla:
If you are unable to connect with SFTP contact your hosting company to see if SFTP is enabled on your web server and you that have the right port number.
Caution: If your hosting company says you need to enable SSH on your server it may erase all your site content or database. Ask your hosting provider specifically if this will happen before you enable it. Or if your hosting provider doesn't offer it, that's a red flag. MOVE HOSTS!
If you're on GoDaddy and it doesn't work, try Server Type “FTPES – FTP over explicit TLS/SSL and try port 21. If you're on their Northland server it should work. FTPES also encrypts your data so it's the next best thing.
You can also read GoDaddy's article here on other ways to test it.
Bottom Line
As they say, the best defense is a good offense. So take your WordPress security seriously and do what YOU can to make your blog a safer placer for your visitors and yourself.
And if you'd like me to help, click here!
Leave your feedback
When you upload files to your WordPress blog do you use SFTP? What FTP program do you use or like the best (FileZilla, FireFTP, CoreFTP, CoreFTP, etc…?
Securely yours,
Regina Smola
WordPress Security Expert
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
Thanks for your question Robert.
In the screen shot above, I changed the “anonymous” to normal. It is also #9.
Try that and see if it works 🙂
I noticed in your error, it says “Command: open “[email protected]” 2222″ which means even if you changed anonymous to normal, you have to reenter in your username and password. Filezilla can be a bit wonky.
Hi
tatus: Connecting to robertnelsononline.com:2222…
Response: fzSftp started
Command: open “[email protected]” 2222
Command: Pass: **************
Error: Authentication failed.
Error: Critical error
Error: Could not connect to server
I followed your procedure, even printed it out. The above is the result of trying to change to SFTP with Filezilla.. Nothing in the post about username, anonymous is filled in already, password is the usual * to hide what it really is
PLEASE NOTE
After Step 9 and before clicking the “Connect” button please enter a user name & password (If your adding SFTP it will be what ever your user name and password are). If this is a new install you will need to add a user name and password then click connect.. For future sessions you will then have a my site button in the upper left hand portion of Filezilla which you will click with your mouse and it goes to your site. You are then more secure and eliminate 3 steps as you no longer need to enter your domain name, user name and passwod in order to FTP>
You do realize you massively mangled the description of the attack vector of using FTP? It has nothing to do with a “malicious hacker lurking on your server.” SFTP protects someone on the network (at your home or office, over the wireless connection, on the Internet, or at your web host) watching the traffic going across the network. SFTP encrypts the traffic so that a sniffer can’t see the username or password information on the network connection between you and your server. Even with SFTP, the data is still a regular text file once it arrives at the server. So if there is a “malicious hacker lurking on your server” you’ve still got problems and SFTP will not help you at all.
Hi Michael,
Thanks for your comment. While I agree with you and will update my post per your comment, I have a very hard time explaining why to use SFTP in layman’s terms for beginners. Many are still trying to figure out “how to connect via SFTP” let alone why.
I’m updating my post as follows:
Use SFTP instead of FTP so that it eliminates the security concern of using FTP. Whereas SFTP encrypts both commands and data, which prevents passwords and sensitive information from being transmitted over the network in clear format.
If you’re on a VPS, you’ll need to purchase an SSL certificate for that to work, right?
No, you do not need an SSL certificate to connect via SFTP. Is ssh enabled on your hosting account?
my server is set to sftp – but i can’t even upload images from within the cms now. any ideas how to make this possible?
Hi Mike,
When you say you can’t upload from CMS what are you referring too?
You know, i got it fixed!
The image uploader in wordpress wasn’t working, it seems to happen with installations on SFTP only servers. I needed to change the permissions set on the wp-content folder to 777. Thanks for the reply!
Hi Mike,
SFTP has nothing to do with your wp-content directory permissions. For security, you should never set it higher than 755. If you can’t upload with server permissions being 755 then you need to change hosts.
777 is dangerous and wide open to the internet. Please do not use that setting. Same goes for any files being set to 666. Files should be no higher than 644.
cool, set it to 777 then changed it back to 755. all secure!
Hi! I’ve recently moved my site into a VPS, I do can connect through filezilla with a SFTP connection, but my wordpress installation is showing an error when I try to update the plugins or wordpress itself, it says “To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.” and it suggest to connect through “FTPS (SSL)”. I used the same info I use in filezille, and it doesn’t work. I don’t have an SSL, I’m going to but I don’t currently have it. Can you help me? I’d really appreciate it.
Thanks!!
Hi Violeta. Your issue has come from a misconfiguration in your VPS server. Please take a look at http://www.chrisabernethy.com/why-wordpress-asks-connection-info/ and it can explain it more for you. If you still have issues, you can always contact us here at to help you configure your server correctly.