• Skip to primary navigation
  • Skip to main content
  • Skip to footer
WPSecurityLock – Malware removal & WordPress security services

WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

  • Facebook
  • LinkedIn
  • Twitter
  • Home
  • About
    • About Us
    • Speaker Information
    • Contact Us by Phone, Email or Live Chat
    • Testimonials
  • Security Services
    • Malware / Virus Removal
    • WordPress Security and Installation Services
    • Monthly Security Packages
    • SSL Conversion Service (HTTP to HTTPS)
  • Blog
  • Resources
  • Contact
  • SafeWP

How to Upload WordPress Files Securely with SFTP

January 10, 2011 By Regina Smola 15 Comments

When you first install WordPress or upload any files using an FTP Client, such as FileZilla, it's more secure to connect via SFTP.

Why upload WordPress files using SFTP?

The majority of FTP Client users connect to their server via FTP. Unfortunately, using this method uploads your files in plain text format.

This poses a security risk. Use SFTP instead of FTP so that it eliminates the security concern of using FTP. Whereas SFTP encrypts both commands and data, which prevents passwords and sensitive information from being transmitted over the network in clear format.

For example, when you upload your wp-config.php file it contains your database name, username, password, host and table prefix. That's information I certainly don't want to share and I'm sure you don't either.

Instead, connect to your server via SFTP – SSH File Transfer Protocol. Using SFTP encrypts your data (looks like a bunch of garblely gook) during the upload process, making it much more secure. For more information on SFTP and encryption, click here.

How to upload WordPress files via SFTP using FileZilla

  1. Download and install FileZilla.
  2. Open Filezilla (Start > All Programs > FileZilla).
  3. From the File menu, click on “Site Manager” (top left corner of program).
  4. Click the “New Site” button (bottom left of Site Manager window).
  5. Give your site a name so it displays on the left.
  6. On the right fill in your “Host” (generally your url or site's ip address without any http://www. For example: wpsecuritylock.com).
  7. Enter in the “Port” number that your hosting provider uses to connect via SFTP. Generally 22. (HostGator uses 2222).
  8. Click the dropdown next to “Server Type” and choose SFTP (second option down).
  9. Change the dropdown next to “Logon Type” to “Normal.”
  10. Enter in your User name.
  11. Enter in your Password.
  12. Click the “Connect” Button.
  13. After the server connects the first time, you will see a popup with the SSL certificate for the server. Click “Yes” to accept.
  14. If you successfully entered in your information, you will be connected via SFTP. You can verify this by looking at the top left corner above “File” and see your site name – sftp://yourhost:22.

Here's a sample screen shot connecting to SFTP with FileZilla:

Connect SFTP using FileZilla

If you are unable to connect with SFTP contact your hosting company to see if SFTP is enabled on your web server and you that have the right port number.

Caution: If your hosting company says you need to enable SSH on your server it may erase all your site content or database. Ask your hosting provider specifically if this will happen before you enable it. Or if your hosting provider doesn't offer it, that's a red flag. MOVE HOSTS!

If you're on GoDaddy and it doesn't work, try Server Type “FTPES – FTP over explicit TLS/SSL and try port 21. If you're on their Northland server it should work. FTPES also encrypts your data so it's the next best thing.

You can also read GoDaddy's article here on other ways to test it.

Bottom Line

As they say, the best defense is a good offense. So take your WordPress security seriously and do what YOU can to make your blog a safer placer for your visitors and yourself.

And if you'd like me to help, click here!

Leave your feedback

When you upload files to your WordPress blog do you use SFTP?  What FTP program do you use or like the best (FileZilla, FireFTP, CoreFTP, CoreFTP, etc…?

Securely yours,

Regina Smola
WordPress Security Expert
Follow on Twitter @WPSecurityLock
Become a Facebook Fan

Filed Under: WordPress Security Tips Tagged With: encrypt wordpress upoads, filezilla, how to upload wordpress files, how to upload wordpress files securely, how to wordpress, install wordpress with sftp, protect wp-config.php

Reader Interactions

Comments

  1. Regina Smola says

    January 12, 2011 at 12:05 pm

    Thanks for your question Robert.

    In the screen shot above, I changed the “anonymous” to normal. It is also #9.

    Try that and see if it works 🙂

    Reply
    • Regina Smola says

      January 12, 2011 at 12:22 pm

      I noticed in your error, it says “Command: open “[email protected]” 2222″ which means even if you changed anonymous to normal, you have to reenter in your username and password. Filezilla can be a bit wonky.

      Reply
  2. Robert Nelson says

    January 12, 2011 at 11:54 am

    Hi
    tatus: Connecting to robertnelsononline.com:2222…
    Response: fzSftp started
    Command: open “[email protected]” 2222
    Command: Pass: **************
    Error: Authentication failed.
    Error: Critical error
    Error: Could not connect to server
    I followed your procedure, even printed it out. The above is the result of trying to change to SFTP with Filezilla.. Nothing in the post about username, anonymous is filled in already, password is the usual * to hide what it really is

    Reply
  3. Robert Nelson says

    January 12, 2011 at 4:22 pm

    PLEASE NOTE
    After Step 9 and before clicking the “Connect” button please enter a user name & password (If your adding SFTP it will be what ever your user name and password are). If this is a new install you will need to add a user name and password then click connect.. For future sessions you will then have a my site button in the upper left hand portion of Filezilla which you will click with your mouse and it goes to your site. You are then more secure and eliminate 3 steps as you no longer need to enter your domain name, user name and passwod in order to FTP>

    Reply
  4. Michael Clark says

    January 15, 2011 at 10:39 am

    You do realize you massively mangled the description of the attack vector of using FTP? It has nothing to do with a “malicious hacker lurking on your server.” SFTP protects someone on the network (at your home or office, over the wireless connection, on the Internet, or at your web host) watching the traffic going across the network. SFTP encrypts the traffic so that a sniffer can’t see the username or password information on the network connection between you and your server. Even with SFTP, the data is still a regular text file once it arrives at the server. So if there is a “malicious hacker lurking on your server” you’ve still got problems and SFTP will not help you at all.

    Reply
    • Regina Smola says

      January 20, 2011 at 4:14 pm

      Hi Michael,

      Thanks for your comment. While I agree with you and will update my post per your comment, I have a very hard time explaining why to use SFTP in layman’s terms for beginners. Many are still trying to figure out “how to connect via SFTP” let alone why.

      I’m updating my post as follows:

      Use SFTP instead of FTP so that it eliminates the security concern of using FTP. Whereas SFTP encrypts both commands and data, which prevents passwords and sensitive information from being transmitted over the network in clear format.

      Reply
  5. Clever Dodo says

    June 16, 2011 at 3:02 am

    If you’re on a VPS, you’ll need to purchase an SSL certificate for that to work, right?

    Reply
    • Regina Smola says

      June 16, 2011 at 10:37 am

      No, you do not need an SSL certificate to connect via SFTP. Is ssh enabled on your hosting account?

      Reply
  6. mike says

    January 15, 2013 at 3:04 pm

    my server is set to sftp – but i can’t even upload images from within the cms now. any ideas how to make this possible?

    Reply
    • Regina Smola says

      January 15, 2013 at 6:57 pm

      Hi Mike,

      When you say you can’t upload from CMS what are you referring too?

      Reply
      • mike says

        January 15, 2013 at 6:59 pm

        You know, i got it fixed!

        The image uploader in wordpress wasn’t working, it seems to happen with installations on SFTP only servers. I needed to change the permissions set on the wp-content folder to 777. Thanks for the reply!

        Reply
        • Regina Smola says

          January 15, 2013 at 9:06 pm

          Hi Mike,

          SFTP has nothing to do with your wp-content directory permissions. For security, you should never set it higher than 755. If you can’t upload with server permissions being 755 then you need to change hosts.

          777 is dangerous and wide open to the internet. Please do not use that setting. Same goes for any files being set to 666. Files should be no higher than 644.

          Reply
          • mike says

            January 15, 2013 at 10:05 pm

            cool, set it to 777 then changed it back to 755. all secure!

  7. Violeta Leyva says

    April 24, 2015 at 7:55 pm

    Hi! I’ve recently moved my site into a VPS, I do can connect through filezilla with a SFTP connection, but my wordpress installation is showing an error when I try to update the plugins or wordpress itself, it says “To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.” and it suggest to connect through “FTPS (SSL)”. I used the same info I use in filezille, and it doesn’t work. I don’t have an SSL, I’m going to but I don’t currently have it. Can you help me? I’d really appreciate it.
    Thanks!!

    Reply
    • Michele Butcher says

      April 29, 2015 at 9:26 am

      Hi Violeta. Your issue has come from a misconfiguration in your VPS server. Please take a look at http://www.chrisabernethy.com/why-wordpress-asks-connection-info/ and it can explain it more for you. If you still have issues, you can always contact us here at to help you configure your server correctly.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s work together:

Get in touch with us and send some basic info about your project. Don't be shy, we can help with just about anything.

Contact Us!

Footer

  • Facebook
  • LinkedIn
  • Twitter

Contact

Call 815-600-7270
Contact
Mo,Tu,We,Th,Fr 9:00 am – 5:00 pm

Get WordPress Help Now

Chat With Us!
Submit A Support Ticket

Copyright © 2025 | WP Security Lock, Inc