Understanding SFTP (SSH File Transfer Protocol) might sound technical, but it’s a straightforward and powerful tool. It’s the digital equivalent of having a secure, armored truck to move your valuable files, rather than just sending them through the mail. This guide will walk you through everything you need to know, from the basic concepts to advanced troubleshooting, all in the active voice and plain English.

Key Takeaways

  • Always Use SFTP, Not FTP: SFTP (SSH File Transfer Protocol) is secure and encrypts your data and credentials. FTP is an outdated, insecure protocol that sends information in plain text.
  • Find Credentials in Your Host’s Dashboard: You need four pieces of information: Host, Username, Password, and Port (usually 22 for SFTP). Integrated platforms like Elementor Hosting provide these details clearly in your “My Elementor” account.
  • Use a Client: You need an SFTP client (software) on your computer to connect. FileZilla and Cyberduck are the most popular, free options.
  • Master the WordPress File Structure: Most of your work will happen in the /wp-content/ folder, which contains your /plugins/, /themes/, and /uploads/ directories.
  • A “Must-Have” Troubleshooting Skill: SFTP is the best way to fix the “white screen of death” by manually disabling plugins or themes when you’re locked out of your site.
  • Secure Your Connection: Using SSH keys instead of a password is the most secure method. At a minimum, always use a strong, unique password for your SFTP account.

What is SFTP and Why Do You Need It?

Let’s start with the basics. SFTP gives you a window into your website’s live file system on the server. Think of your WordPress admin dashboard as the “front office” of your business. SFTP is the secure key to the “back office” or the stockroom, where everything is actually stored.

A web-based file manager, like those found in some hosting panels, is like a small window into that stockroom. SFTP, on the other hand, is like opening the main loading dock doors. It lets you move large items, bulk items, and sensitive items securely and efficiently.

SFTP vs. FTP vs. FTPS: Understanding the Key Differences

You’ll see these three acronyms, and it’s vital you know the difference.

  • FTP (File Transfer Protocol): This is the original, old-school method. Its major, critical flaw is that it is unencrypted. It sends your username, password, and all your data in plain text. Anyone “listening” on the network can steal your credentials and gain full access to your site. You should never use it.
  • FTPS (FTP over SSL): This was an attempt to fix FTP by wrapping it in the same kind of security (SSL) that https:// websites use. It’s more secure than FTP but can be buggy, complex to configure, and still uses an outdated underlying structure.
  • SFTP (SSH File Transfer Protocol): This is the modern professional standard. Despite the similar name, it is a completely different protocol. It doesn’t use FTP at all. Instead, it runs over the SSH (Secure Shell) protocol, the same high-security channel system administrators use to manage servers.

With SFTP, your connection is authenticated, and all data, including your password, is encrypted from the moment you connect. It’s reliable, secure, and runs on a single port (usually 22), which makes it easy to manage.

Why SFTP is the Professional Standard for Web Creators

So, why bother with SFTP when you have a WordPress dashboard? Because the dashboard has limits.

  1. Security: As mentioned, SFTP encrypts your credentials and data. This protects you from hackers and ensures your site’s files can’t be intercepted or altered in transit.
  2. Troubleshooting: This is the big one. What happens when you install a plugin and it crashes your entire site, giving you the “White Screen of Death”? You can’t log in to your admin dashboard to fix it. SFTP is your lifeline. You can log in, navigate to the plugins folder, and rename the problem plugin’s folder, instantly disabling it and bringing your site back online.
  3. File Management: The WordPress Media Library is great for one-off image uploads. What if you need to upload a folder with 500 images? Or download your entire theme folder as a backup? SFTP is built for this. It handles bulk file transfers (uploads and downloads) with ease.
  4. Access to Core Files: Some critical files are hidden from the WordPress admin for security. To edit your .htaccess file for advanced redirects or your wp-config.php file to change database settings, you must use SFTP.
  5. Uploading Verification Files: Services like Google Search Console sometimes ask you to prove ownership by uploading a specific HTML file to your site’s root directory. SFTP is the easiest way to do this.

Common Scenarios for Using SFTP

As a web creator, you will eventually find yourself needing SFTP for these tasks:

  • Bulk uploading a premium theme or plugin instead of using the WordPress uploader.
  • Troubleshooting a crashed site by disabling plugins or themes.
  • Editing your wp-config.php file to enable debug mode.
  • Modifying your .htaccess file to implement custom redirect rules.
  • Downloading your entire /wp-content/ folder as part of a manual backup.
  • Manually deleting a plugin or theme that is failing to delete from the admin.
  • Checking and modifying file permissions for security.
  • Uploading a favicon.ico or robots.txt file to your root directory.

Before You Connect: Gathering Your SFTP Credentials

To use SFTP, you need to authenticate with your server. This requires four key pieces of information.

What You’ll Need: The Four Key Pieces of Information

  1. Host (or Server/IP Address): This is the address of your server. It often looks like sftp.yourdomain.com or a direct IP address like 192.168.1.100.
  2. Username: The specific username for SFTP/SSH access. This is not usually your WordPress admin username.
  3. Password: The password associated with that SFTP username. (We’ll discuss the more secure alternative, SSH Keys, later).
  4. Port: The “door” the server uses to listen for SFTP connections. For SFTP, this is almost always 22. If you see port 21, that’s for insecure FTP.

How to Find Your SFTP Credentials

This is the most common hurdle for new users. The location of these details depends entirely on your hosting provider.

The Elementor Hosting Way (The Integrated Approach)

If you’re using a complete web creation platform, this process is much simpler. Elementor Hosting, for example, is designed to be an optimized and seamless foundation for your website. It provides a true SaaS-like experience without the compromises of a closed system.

This means you get a single, unified dashboard for managing your site, and finding your credentials is simple.

  1. Log in to your My Elementor account.
  2. Go to the Websites section.
  3. Find the site you want to manage and click “Manage this Website”.
  4. In your site’s dashboard, look for a tab or section named “SFTP/SSH” or “Site Details”.
  5. Your Host, Username, Port (22), and Password will be clearly listed. You can often one-click copy them.

This integrated approach is a huge time-saver. You don’t have to hunt through different panels or welcome emails. It’s all part of the “unified support” philosophy. You have one place to manage your builder and your hosting, which eliminates the “blame game” when you’re troubleshooting.

For a general overview of the Elementor Hosting dashboard, this video can be helpful:

And for a specific walkthrough on accessing your site’s files, Elementor has a great guide. While the title might say FTP, the video and recommended settings will guide you to use the secure SFTP protocol.

Finding Credentials on Other Hosting Platforms

If you’re not on an integrated platform, your experience will be a bit more fragmented. Here is where you would typically look, presented in a “dry,” factual manner.

  • In cPanel: Look for an icon named “FTP Accounts”. Inside, you can create new accounts and find the server/host details. Note: cPanel often pushes FTP/FTPS. You may need to look for a separate “SSH Access” icon to ensure you can connect via SFTP on port 22.
  • In Plesk: Look for “FTP Access” or “Web Hosting Access”. It functions similarly to cPanel.
  • Managed WordPress Hosts (Kinsta, WPEngine, Flywheel): These platforms operate more like Elementor Hosting. They will have a custom dashboard for your site. Look for a tab named “SFTP,” “SSH,” or “Site Info,” where your credentials will be listed.
  • Your Welcome Email: Almost every hosting provider sends a “Welcome Email” when you first sign up. This email is a goldmine of information and almost always contains your initial SFTP credentials.

A Note on SSH Keys vs. Passwords

A password is like a secret phrase. An SSH key is like a complex, unique physical key.

An SSH key pair consists of two files:

  1. Private Key: You keep this file (.pem or .ppk) on your computer. It’s your personal key and you must never share it.
  2. Public Key: You upload this file to your hosting account. It acts as the “lock” on the server.

When you connect, your SFTP client presents your private key. The server checks if it matches the public key on file. If it does, you’re in. No password is required.

This is vastly more secure than a password. A password can be guessed or “brute-forced.” A complex SSH key is practically impossible to guess. Many high-security hosts, including Elementor Hosting, support and encourage the use of SSH keys.

Choosing Your SFTP Client: The Best Tools for the Job

You cannot connect to SFTP using just your web browser. You need a dedicated “client” program that speaks the SFTP language. Here are the most popular, trusted clients.

FileZilla (Windows, Mac, Linux)

FileZilla is the most widely known and used SFTP client.

  • Pros: It’s 100% free, open-source, and available for all major operating systems. It’s powerful, reliable, and supports SFTP, FTPS, and SSH keys.
  • Cons: The interface can look a bit dated or “busy” to new users.
  • Important: Only download FileZilla from the official website (filezilla-project.org). Some third-party download sites have bundled it with unwanted software in the past.

Cyberduck (Windows, Mac)

Cyberduck is another fantastic, free client known for its clean, modern interface.

  • Pros: It has a very simple, user-friendly, and minimal design that many users prefer. It also integrates beautifully with cloud storage like Amazon S3 and Dropbox.
  • Cons: It may occasionally ask for a donation (it’s “donation-ware”).

Transmit (Mac Only)

If you are a Mac user and work with SFTP daily, Transmit is often considered the best tool available.

  • Pros: It’s incredibly fast, has a beautiful dual-pane interface, and is packed with professional features like folder syncing.
  • Cons: It’s premium, paid software.

For this guide, we’ll focus on FileZilla and Cyberduck as they are free and accessible to everyone.

Step-by-Step Guide: Using SFTP to Manage Your Website

Let’s get connected. We’ll walk through the process on both FileZilla and Cyberduck.

How to Connect with FileZilla

There are two ways to connect in FileZilla: Quickconnect and Site Manager.

Method 1: Quickconnect (The “Test” Method)

At the top of the FileZilla window, you’ll see the “Quickconnect” bar.

  1. Host: Enter your Host address here. To be 100% sure you’re using SFTP, you can prefix it with sftp://, like: sftp://192.168.1.100.
  2. Username: Enter your SFTP username.
  3. Password: Enter your SFTP password.
  4. Port: Enter 22.
  5. Click “Quickconnect”.

First Connection Warning: The very first time you connect, you will likely see a pop-up saying, “The server’s host key is unknown.” This is normal. Your client is just saying, “I’ve never met this server before. Should I trust it?” Check the box that says “Always trust this host” and click “OK”.

Method 2: Site Manager (The “Pro” Method)

The Quickconnect bar doesn’t save your settings. The “Site Manager” is the proper way to save your site connections for future use.

As web development expert Itamar Haim often states, “Using the Site Manager is a non-negotiable best practice. It not only saves your credentials securely but also ensures you’re using the correct protocol every time, preventing accidental insecure connections.”

  1. Go to File > Site Manager (or click the top-left icon that looks like a server).
  2. Click “New Site” and give your site a name (e.g., “My Business Site”).
  3. On the right-hand “General” tab, fill in the details:
    • Protocol: This is the most important step. Click the dropdown and select “SFTP – SSH File Transfer Protocol”.
    • Host: Enter your Host address.
    • Port: It should default to 22. If not, enter 22.
    • Logon Type: Choose “Ask for password” (most secure, you type it every time) or “Normal” (to save the password, less secure). If you use SSH keys, you’d select “Key file” here.
    • User: Enter your username.
  4. Click “Connect”.

Once connected, you’ll see your computer’s files (“Local site”) on the left and your server’s files (“Remote site”) on the right.

How to Connect with Cyberduck

Cyberduck is even simpler.

  1. Open Cyberduck and click the “Open Connection” button (top-left).
  2. A dialog box will appear. At the very top, click the dropdown menu.
  3. Select “SFTP (SSH File Transfer Protocol)”.
  4. Fill in the fields:
    • Server: Your Host address.
    • Port: 22
    • Username: Your SFTP username.
    • Password: Your SFTP password. (Or choose “Private Key” if you’re using SSH keys).
  5. Click “Connect”.
  6. You will get the same “Unknown host key” warning as in FileZilla. Click “Allow” or “Always” to trust the server.

Cyberduck opens a single browser-like window showing your server’s files. To upload or download, you just drag files between this window and your computer’s Finder or File Explorer.

Understanding the WordPress File Structure (What You’re Looking At)

Once you’re connected, you’ll see a folder structure. This is your WordPress site. It can look intimidating, but 99% of the time, you only care about one folder.

You’ll often land in your “root” directory. This might be named public_html, www, htdocs, or just your site’s name. This is the main folder for your website. Inside, you’ll see three key things:

  • /wp-admin/: This folder contains all the files for your WordPress admin dashboard. Don’t touch this folder.
  • /wp-includes/: This folder contains the core application files for WordPress. Don’t touch this folder.
  • /wp-content/: This is your folder. It contains all your user-generated content. This is where you’ll do all your work.

Inside /wp-content/

This is the folder you need to know.

  • /plugins/: Every plugin you install lives in its own sub-folder here. (This is key for troubleshooting).
  • /themes/: Your theme files are here. When you use a theme like Elementor’s Hello Theme, its files will be in a folder called /hello-theme/.
  • /uploads/: Your Media Library. When you upload an image, WordPress sorts it into folders here, usually by year and month (e.g., /uploads/2025/10/).

Key Root Files

Back in the main root directory, there are two files you may need to edit carefully:

  • wp-config.php: This is the heart of your site. It tells WordPress how to connect to your database and contains your site’s unique security keys. You might edit this to enable debugging or change database details. Always download a backup before editing.
  • .htaccess: This is a powerful server configuration file. WordPress uses it to create your “pretty” permalinks (e.g., yourdomain.com/about-us). You might edit this to add security rules or custom redirects. Always download a backup before editing.

Common SFTP Operations for WordPress Management

Now that you’re in, let’s perform the most common tasks.

How to Upload Files and Folders (e.g., a New Plugin)

Sometimes, a large plugin (like Elementor Pro) might fail to upload through the WordPress admin due to server file size limits. SFTP bypasses this.

  1. Local: Download the plugin .zip file from the developer.
  2. Local: Unzip the file on your computer. You should now have a folder (e.g., /elementor-pro/).
  3. SFTP Client: On the “Remote site” pane, navigate to /wp-content/plugins/.
  4. SFTP Client: On the “Local site” pane, find the unzipped plugin folder.
  5. Action: Drag the entire folder from your local side to the remote side.
  6. WordPress: Once the upload is complete, go to your WordPress admin > Plugins. You will see the new plugin in the list, ready to be “Activated”.

How to Download Files (e.g., Backing Up Your Theme)

Before you edit your theme’s functions.php file, you should always make a backup.

  1. Local: Create a folder on your computer called “Site Backups”.
  2. SFTP Client: On the “Remote site” pane, navigate to /wp-content/themes/.
  3. SFTP Client: On the “Local site” pane, navigate to your “Site Backups” folder.
  4. Action: Find your active theme’s folder (e.g., /hello-theme/) on the remote side and drag it to your local side.

You now have a complete, safe copy of your theme.

The “White Screen of Death” Fix: Manually Disabling Plugins

This is the most valuable SFTP skill you will ever learn.

Problem: You update a plugin, and your entire site (admin and front-end) goes to a blank white screen. You are completely locked out.

Solution:

  1. Connect to your server with your SFTP client.
  2. Navigate to the remote site’s /wp-content/ folder.
  3. Find the folder named /plugins/.
  4. Right-click on the /plugins/ folder and select “Rename”.
  5. Rename it to plugins_disabled.

This action instantly deactivates all plugins on your site.

  1. Now, try to load your website’s login page (/wp-admin/). It should load. Log in.
  2. Once you are logged in, go back to your SFTP client.
  3. Rename plugins_disabled back to plugins.
  4. Go to your WordPress admin Plugins page. You will see a notice that all plugins were deactivated.
  5. Do not reactivate them all at once. Activate them one by one, reloading your site after each one.
  6. When your site breaks again, you’ve found the culprit. It’s the last plugin you activated.
  7. Go back to SFTP, navigate to /wp-content/plugins/, and delete or rename that specific plugin’s folder.

How to Edit a File (e.g., .htaccess)

Warning: Editing core files is dangerous. One typo can take down your site. Always back up the file first.

  1. Backup: In your SFTP client, find the file (e.g., .htaccess). Drag it from the remote side to your local side to make a backup copy.
  2. Edit: Right-click the remote .htaccess file and select “View/Edit”.
  3. This will download the file and open it in your computer’s default text editor (like Notepad or TextEdit).
  4. Make your changes. For example, add a redirect rule.
  5. Save the file in your text editor and close it.
  6. Your SFTP client (FileZilla or Cyberduck) will detect that the file has changed.
  7. It will pop up a message: “A file previously opened has been changed. Upload this file back to the server?”
  8. Click “Yes”.

The new, edited version is now live. Immediately reload your website to ensure you didn’t break anything.

How to Set File Permissions

File permissions tell the server who can Read, Write, or Execute a file. Incorrect permissions are a major security hole.

  • A folder is like a room. “Execute” lets you enter it. “Read” lets you see the list of files inside. “Write” lets you add/delete files in it.
  • A file is like a book. “Read” lets you open it. “Write” lets you change its contents.

Permissions are shown as a 3-digit number (e.g., 755).

  • Good Permissions:
    • Folders: 755. (Owner can do everything. Others can read and enter).
    • Files: 644. (Owner can read/write. Others can only read).
  • Secure Permissions:
    • wp-config.php: 600 or 444. (Only the Owner can read/write, or even just read. This is your most sensitive file).
  • Bad Permissions:
    • 777: NEVER USE 777. This gives everyone permission to do anything, including letting a hacker upload a malicious script.

How to Change Permissions:

In your SFTP client, right-click any file or folder and select “File Permissions…” (FileZilla) or “Info” (Cyberduck). A dialog will let you check boxes or type in the numeric value (e.g., 755).

Advanced SFTP: Security and Efficiency Best Practices

You’ve mastered the basics. Now let’s make your workflow secure and efficient.

Securing Your SFTP Access

Your SFTP access is a main key to your website. Protect it.

  1. Use SSH Keys: As mentioned before, this is the #1 best practice. Ditch the password entirely. In FileZilla, you go to Edit > Settings > SFTP to add your private key. In Cyberduck, you simply choose “Private Key” from the “Open Connection” dialog.
  2. Use a Strong Password: If you absolutely must use a password, make it long, random, and unique. Use a password manager.
  3. IP Whitelisting: Many premium hosts allow you to create a “whitelist” of IP addresses that are allowed to connect via SFTP. If you have a static IP at your office or home, you can lock down SFTP access to only your computer.
  4. Use 2FA: Some hosts also support Two-Factor Authentication (2FA) for SSH/SFTP. This is an excellent security layer.

For more on website security, this is a great overview:

The Benefit of an Integrated Hosting Platform

Managing all these security layers (keys, IPs, firewalls) can be a full-time job. This is where the value of a complete platform becomes clear.

When your website builder and your hosting are part of one ecosystem, your security is streamlined. Elementor Hosting, for example, provides a secure, optimized environment right out of the box. It includes enterprise-grade firewalls, 24/7 security monitoring, and automated backups.

This means you don’t have to worry about configuring everything yourself. The platform is pre-hardened. When you use SFTP, you’re connecting to a server that is already being professionally managed and secured. This is especially critical for eCommerce Hosting, where you’re handling sensitive customer data.

This unified approach lets you focus on building your site, knowing the foundation is solid.

Troubleshooting Common SFTP Connection Issues

You’re going to hit an error eventually. Here are the most common ones and what they mean.

  • Error: “Connection timed out”
    • Meaning: Your client can’t find the server.
    • Fixes:
      1. Check your Host address. Is it spelled correctly?
      2. Check your Port. Are you using 22? (Using 21 will often time out).
      3. Check your local firewall. Your computer’s antivirus or firewall might be blocking the connection.
  • Error: “Authentication failed” or “Permission denied”
    • Meaning: You reached the server, but your login is wrong.
    • Fixes:
      1. Carefully re-type or copy/paste your Username and Password. Check for extra spaces.
      2. Are you using the right protocol? Make sure you selected SFTP and not FTP.
      3. If using an SSH key, make sure your client is pointing to the correct key file.
  • Error: “ECONNREFUSED – Connection refused by server”
    • Meaning: You reached the server, but it slammed the door on you.
    • Fixes:
      1. You are almost certainly using the wrong Port. Double-check it’s 22.
      2. Your IP address might be blocked by the server’s firewall. If you’ve had failed logins before, the server may have automatically banned you. You’ll need to contact your host’s support.
  • Warning: “Server’s host key is unknown”
    • Meaning: This is the normal, first-time connection warning.
    • Fix: Click “Always trust this host” and “OK”.
    • Security Note: If you see this warning again for a site you’ve connected to before, be cautious. It could mean the server was rebuilt (normal) or it could be a man-in-the-middle attack (rare, but serious).

Conclusion: Mastering Your Website’s Files

SFTP is not just a “developer” tool. It is an essential, fundamental skill for any serious WordPress web creator.

It’s your secure key to the back end of your website. It’s your ultimate troubleshooting lifeline when you’re locked out, and it’s the most efficient way to manage your site’s files. While the interface of a client like FileZilla or Cyberduck might seem new at first, the core operations of dragging and dropping files are simple and intuitive.

By taking the time to learn SFTP, you give yourself complete control over your web property. And by building on a solid, integrated foundation like Elementor’s complete platform, you ensure the server you’re connecting to is as secure and optimized as the tools you’re using to build.

SFTP Frequently Asked Questions (FAQ)

1. What’s the main difference between FTP and SFTP? The main difference is security. SFTP (SSH File Transfer Protocol) encrypts all data, including your username and password. FTP (File Transfer Protocol) sends everything in plain text, making it insecure and easy for hackers to steal your credentials.

2. What port does SFTP use? SFTP almost always uses port 22. This is the standard port for SSH (Secure Shell) connections. FTP uses port 21.

3. Can I use SFTP if I’m on Elementor Hosting? Yes, absolutely. Elementor Hosting provides full SFTP/SSH access. You can find your credentials in your My Elementor account dashboard under your site’s management area.

4. Is SFTP the same as SSH? They are related but not the same. SSH (Secure Shell) is the underlying protocol used to create a secure, encrypted connection to a server. SFTP is a protocol that runs on top of that SSH connection specifically for the purpose of transferring files.

5. My SFTP client is asking to “trust” a host key. What does this mean? This is a normal security check on your very first connection. Your client is just asking you to confirm that the server you’re connecting to is the one you intended. You can safely click “Yes” or “Always trust” if it’s your first time.

6. Why can’t I edit a file? It says “Permission denied.” This is a file permissions issue. The file you’re trying to edit likely has permissions set to 444 or 644, and your SFTP user doesn’t have “Write” permission. You can right-click the file, select “File Permissions,” and change them (e.g., to 664) to edit, but be sure to change them back for security.

7. What are the correct file permissions for WordPress? The standard, secure permissions are 755 for all folders and 644 for all files. Your wp-config.php file can be made even more secure with 600 or 444 permissions.

8. How do I get an SSH key? You generate an SSH key pair on your own computer. On Mac/Linux, you can use the ssh-keygen command in the Terminal. On Windows, you can use a tool called PuTTYgen. You then upload the generated public key to your hosting account.

9. Can I break my site using SFTP? Yes. You have full access, which means you have the power to delete critical files. Be very careful. Never delete files from the /wp-admin/ or /wp-includes/ folders. And always back up any file (like wp-config.php) before you edit it.

10. Is FileZilla safe to use? Yes, FileZilla is a safe, open-source, and trusted SFTP client, as long as you download it from the official source: filezilla-project.org.