Skip to content

SFTP

Secure File Transfer Protocol (SFTP) is a secure FTP method to transfer files to and from your site. This guide will show you how to use SFTP on WordPress.com.

About SFTP

SFTP is a method to access the files and folders on a website via a client program such as FileZilla on your local computer. SFTP stands for Secure File Transfer Protocol (or SSH File Transfer Protocol). It was designed as an extension of the SSH (Secure SHell) protocol. The “secure” part is because it is run over a secure channel, in this case, SSH.

SFTP is not to be confused with FTP (File Transfer Protocol), which is similar but not secure.

You can test code and file changes first on a staging site.

Find Your SFTP/SSH Credentials

To access your site’s SFTP and SSH credentials, take the following steps:

  1. Visit your site’s dashboard.
  2. Navigate to Settings → Hosting Configuration.
  3. Under “SFTP/SSH credentials“, click the “Create credentials” button:
The SFTP/SSH credentials widget on WordPress.com and an orange arrow pointing to a pink button that says 'Create credentials'

In a few moments, your site’s credentials will appear for both SFTP and SSH connections:

  • URL address
  • Port Number
  • Username
  • Password

Click the Copy button next to any value to copy it to your device’s clipboard.

The username and password are generated by the system automatically. These are unique to your site, so if you have multiple sites, you’ll use multiple usernames and passwords, one for each site, in your SFTP client.

Under “SSH Access” you can toggle on the “Enable SSH access to this site” option. A connection command will appear which can be copied and pasted into a terminal application:

For security reasons, we do not store your SFTP/SSH password. If you’ve forgotten your password, you can reset it by clicking the “Reset password” button that appears after you navigate away from the Configuration screen and back again.

Set Up a Client

An SFTP client is a tool that will accept your credentials and allow you to access your website’s files. There are many clients available. If you don’t have a preference, we recommend FileZilla. We have provided setup instructions below for several popular FTP clients.

FileZilla

To access SFTP with FileZilla, take the following steps:

  1. Visit the FileZilla website to download FileZilla for Windows, MacOS, or Linux.
  2. Open the program and navigate to File → Site Manager.
  3. Click the “New site” button.
  4. Set the ‘Protocol’ field to SFTP (SSH File Transfer Protocol), not FTP.
  5. Add the credentials (URL [in the Host field], Port, Username, and Password) you obtained earlier.
  6. Click the Connect button.

In the default FileZilla layout, you’ll see your local files on the left and your site’s files on the right.

Transmit

If you are using macOS, you can use the Transmit app on your computer. You can download the app directly from the app developer here: Transmit 5.

  1. Once the app is downloaded and installed properly on your computer, you should see a starter module.
  2. Make sure the ‘Protocol’ field is set to ‘SFTP.’
  3. Fill in the SFTP credentials (address, username, port, and password) on the available fields:
  4. Once done, click Connect.

Cyberduck

Cyberduck is available both on macOS and Windows. You can download the software/app from their website: cyberduck.io

  1. After installing, you will see a starting module.
  2. Click the Open Connection button on the top left.
  3. You should see the login popup that you can fill in with your SFTP credentials.
  4. Click the dropdown arrow next to the ‘FTP (File Transfer Protocol)’ option.
  5. Then choose the ‘SFTP (SSH File Transfer Protocol)’ option.
  6. Once you have done so, you should see the ‘Port’ area changed to 22. Fill the fields with the credentials available at Settings > Hosting Configuration in your WordPress.com dashboard.
  7. Click Connect.

Frequently Asked Questions

I uploaded a plugin/theme and can’t see it in my dashboard?

Make sure you’ve uploaded it to the correct folder. If plugins aren’t in /wp-content/plugins/ and themes aren’t in /wp-content/themes/, they won’t work.

I have modified my theme files, but my changes disappeared after the theme was updated.

This is expected if you have not used a child theme to make modifications, as any modifications will be overwritten by the new version of the theme. Please follow these instructions if you want to run your own customized themes.

I’ve added my site to my SFTP client, and it’s not working!

Make sure you’ve specified an SFTP connection in your client’s settings. If you use the quickconnect, make sure you prefix your SFTP address with sftp://.

I uploaded images/videos via SFTP, but they are not showing in my Media Library.

This is expected as WordPress does not recognize media files uploaded via SFTP. While they are accessible via the direct URL, these will not show inside the admin area. You can use plugins like Media Sync to resolve this, so images and videos uploaded to the site via SFTP will appear normally in your Media.

What file permissions should I set?

By default, your folders and file permissions should be set to 755. Changing these settings can break your site. You’ll also see some symlinked files may appear to have different permissions. This is normal and cannot be changed.

Can I edit my site’s wp-config.php file?

Yes, you can modify your site’s wp-config.php file. We recommend that you do not touch this file unless absolutely necessary. If you’re not sure if you should make changes, contact us before you make a change.

Can I edit functions.php?

For most WordPress.com-provided themes, the functions.php file is symlinked and protected. This means it cannot be edited. However, third-party and manually installed themes allow their functions.php to be changed.

Please keep in mind that editing or adding untested code to functions.php can crash your site, and changes are often lost when the theme is updated. We recommend using plugins such as Code Snippets if you want to apply any modifications to your site’s functions.php file. This plugin allows more control and granularity over where these snippets are run, and snippets in the plugin can be easily disabled if something does not go as expected.

Does content uploaded via SFTP count against my site’s storage limits?

Yes, the content you upload via SFTP counts against your site’s storage limits, similar to the content you upload via the Media Library.

Can I edit core WordPress files?

No, you cannot edit core WordPress files or the default WordPress.com themes and plugins. These files are essential to keep your site functional. They are not editable via SFTP.

I uploaded a plugin using SFTP, but I can’t activate it. What should I do?

While we try to ensure your site here at WordPress.com is compatible with as many plugins as possible, we’ve found that some plugins aren’t a good fit on our platform or are otherwise incompatible. Please make sure you haven’t uploaded an incompatible plugin.

I’m trying to upload a theme to my site, but it says it is too big. Can I upload it via SFTP?

Yes. While you’ll be able to upload a theme by going to Appearance → Themes → Add New, there’s a 50MB upload limit for security, as some themes may include other files that are not part of the theme itself.

The first step in these cases would be to double-check if you have the correct theme files. Themes from third-party vendors may include things inside their zip file, like demo content or license information. You’ll want to make sure you only upload the WordPress-installable theme files to your site.

If you’ve removed the extra files, but you’re still getting an error, you can use SFTP to add this theme to your site by unzipping it and placing it under the /wp-content/themes/ directory.

Can I add custom PHP modules like ioncube?

No. While some plugins require custom PHP modules to be installed to function, this is set on the server side and cannot be changed. You can review our server environment details here.

Why can’t I access certain folders via SFTP?

Some directories of your file system structure are locked and cannot be accessed via SFTP. This is vital for security and helps ensure the functionality of your site.

The screenshot below shows that some core directories have a ? mark icon next to them. This denotes that the directory is part of your site’s core WordPress installation. These core files cannot be modified as they are required to ensure your site is functional.

WordPress file structure with a few locked folders with labels like _wp_, advanced-cache.php, object-cache.php, and wp-load.php

How do I grant my plugin or theme developer access to my site via SFTP?

If a plugin or theme developer requests access via SFTP, you can provide your SFTP credentials. It is limited to one SFTP user per site. When they no longer require access, make sure to reset the SFTP password.

What if something else goes wrong?

If something unwanted happens to your site as a result of actions in SFTP, you can restore a previous backup of your site.

Last updated: March 27, 2024

Ready to get started with WordPress.com?

Start free trial