What The SFTP? Transfer Your Files Secure-ly!

What The SFTP? Transfer Your Files Secure-ly!

You’ve just installed a brand new theme for your new site. You load it up and begin to admire it – it’s perfect! Except…what’s that weird orange tint on all of your photos?! How do you get rid of it? It’s time you unlocked the world of SFTP…

It’s often said that you can build sites on WordPress without ever touching a line of code.

This is absolutely true – however, it’s like owning a Ferrari and never going past the third gear.

I’m not saying you need to start building your own themes and creating new plugins to be able to get the most out of WordPress, just that developing the skills to at least make minor aesthetic changes to your site should be on most people’s to-do list.

Trust me – the sense of accomplishment you get from fixing that annoying layout issue on your site all by yourself is second to none.

But if you want to meddle with the files in order to make these kinds of changes, you need to know how to access them.

There’s a couple of different ways you can do this, but in this article, we’re going to focus on SFTP (Secure File Transfer Protocol).

If you want to skip straight to the good stuff, here’s what we will be covering:

  1. What is Encryption?
  3. How Does SFTP Work?
  4. What is FTPS?
  5. How Do I Access My Files With SFTP?
  6. Which SFTP Client Should I Use?
  7. Accessing Files With FileZilla
  8. Accessing Files Through the Command Line
Cartoon of Devman putting chains and a padlock around a letter, about to post it.
If only Devman knew there was another way to securely send files…

One of the main benefits of using SFTP to transfer your files over other methods is that it encrypts your data.

Therefore, before we delve into how SFTP works, we must first understand the basics of encryption.

What is Encryption?

Encryption is a method of protecting data by converting it to code or ‘cipher’ that can only be solved by the people who have permission to view it.

Simple encryption could be in the form of the A1Z26 cipher, which assigns each letter a numeric value based on their position in the alphabet (A = 1, B = 2), so the word ‘PASSWORD’, for example, would be converted to 16;1;19;19;23;15;18;4.

This is a very simple cipher and wouldn’t take a rocket scientist to crack the code.

With the help of computers, files can be encrypted in virtually uncrackable ways, as machines are able to generate complex, random encryptions that no amount of guesswork would be able to solve.

The recipient possesses the ‘key’, which unscrambles the code and allows them to read it.

A hacker’s goal would be to gain access to plain text data, i.e. data that hasn’t been encrypted.

If a hacker manages to get their hands on ciphertext (encrypted data) the chances of them being able to decode it and view the information it contains are virtually zero, which is why encryption is so widely used.

Take Passwords For Example

Any website which stores user information should encrypt it in case of a breach.

When you log into WordPress, you input your password which could be something as simple as ‘Lilac12’ however WordPress would encrypt it before storing it on the database, so at their end, it could look as complex as ef9ded6169f538c36f9ad613806a7b99.

If a hacker breaches the WordPress database, they wouldn’t be able to access your account unless they were able to transfer the code back into Lilac12 in order to log in.

In theory, the only person who truly knows your password is you!


So, back to SFTP – what is it, and how does it differ from FTP?

One of the main distinctions between SFTP and FTP (File Transfer Protocol), is that SFTP is secure whereas FTP is not (I know, who’d have guessed?!)

Let’s say I call you on the phone and we’re having a private conversation.

If someone manages to tap into the line, they hear us speaking English and they will know everything we discuss. This is FTP, as there is no encryption taking place.

If I call you on an encrypted line, all they hear is gibberish, so even if they managed to intercept the connection, it’s encrypted in a way that means they learn nothing from it and the content is useless to them. This is SFTP – the encryption of files protects your data in the event of an interception.

How Does SFTP Work?

You start the process by logging into an SFTP client to initiate the connection.

The details required include a username, password, host (your site’s URL), and port number, which can all be obtained through your hosting provider.

You can also generate keys that are swapped between the servers, but for the novice user, a username and password is definitely the right way to go.

Once you have authenticated your connection with either of these methods, the files are encrypted and sent to the recipient.

As the files can only be decrypted by the intended recipient, anyone who manages to intercept the connection will only have access to a bunch of jumbled, unreadable files.

So I Guess This Means No One Uses FTP Anymore?

Unfortunately, no, they still do.

FTP has been around a very long time – the specification for it was written before the internet was even invented!

Back then, it was assumed that internet activity wasn’t malicious, and therefore FTP wasn’t created with the need to protect files from various types of hacking methods.

The goal was simply to transfer files from one place to another.

These days, cybersecurity is a huge threat to companies and individuals everywhere, so protecting data should be on the forefront of everyone’s mind when transferring files.

Despite the fact that SFTP is now in existence, millions of people and businesses around the world still use FTP, although some sources suggest that it is dying a slow death.

If you’re not sending confidential or valuable data, it can be easy to think that FTP will be fine in this instance, as no harm would come from anyone having access to this particular set of files.

Whilst this may technically be true, businesses would always be advised to use a secure method when transferring files regardless of the content.

Luckily, there are tons of regulations in place which prevent businesses from taking risks like this, so the bottom line is SFTP over FTP every time!

What About FTPS – Where Does That Come Into It?

With so many acronyms all containing the same few letters, it’s extremely easy to get confused.

So, before we get any deeper, let’s clear up the difference between everything we’ve learnt thus far and the next arrival to the data transfer party – FTPS.

The FTP part of FTPS is indeed the same FTP that we’ve already met – a way to transfer files over the internet, but without the added security that SFTP offers via encryption.

FTPS however, is something slightly different.

Whilst SFTP pairs FTP with an SSH connection in order to securely transfer files, FTPS works with SSL to keep your files safe.

“What Is SSL?!” I Hear You Cry

SSL puts the S in HTTPS – it stands for Secure Sockets Layer and is what differentiates a secure site (HTTPS) from an unsecure one (HTTP).

To do this, your browser binds to the website forming a secure connection which is extremely difficult to penetrate.

This is done with the help of an SSL certificate. The browser connects to the website’s server, checks if it has an SSL certificate and if it does and the browser can authenticate it, it forms a binding connection which allows you to safely transfer information.

How Can I Access My Files Using SFTP?

So now that we’re better versed in the terminology, how do we put this into practice and access our WordPress files?

There are a couple of different ways you can do this.

Some hosting providers supply a platform for you to directly access your files such as C Panel, however, if you don’t have access to anything similar, you can either use a plugin, the command terminal, or an SFTP client.

A plugin File Manager allows you to copy and amend your files, however, we wouldn’t recommend this method.

This is because if you change something in your site’s files, one simple syntax error could mean your whole site crashes and you are unable to even get to the dashboard.

If this is a mistake you have made using a plugin, you won’t even be able to get back into the plugin to fix the issue – it’s so much safer to use an external source such as an SFTP client so that you can get straight back in and correct the issue.

So now we’ve settled on SFTP, which client should we use?

Choosing an SFTP Client

There are a number of SFTP clients that you can use to access your files, and most are free.

Popular choices are WinSCP, Cyberduck and FileZilla

For basic users, all that really differs are the interfaces, so we’ll take a quick look at these three below.

First up, Cyberduck!


Not all SFTP clients are a great fit for Mac users, but Cyberduck is one of the exceptions.

Screenshot of Cyberduck showing the layout of the folders and files
Cyberduck seems to have its ducks in a row.

It has a Mac-like aesthetic which is very beginner-friendly and supports a wide range of servers, so is a good choice for anyone looking to venture into the world of SFTP.


With 132 million downloads in the bag, WinSCP is also a great choice for your SFTP needs.

Screenshot showing the folder and file layour of WinSCP.
Ahh the good ol’ yellow folders we all know and love.

It’s only available for Windows, so it’s designed in a way that makes it quick and simple for Windows users to navigate, i.e. with lots of well-organized, yellow folders.

Like Cyberduck, it’s also completely free to use and you can easily access your files and make changes to your WordPress files using this client.


One of the most popular by far is FileZilla – it’s completely cross-platform (even Linux) and again, free.

Screenshot showing the folder and file layout of Filezilla.
FileZilla has been a solid choice for SFTP since its creation in 2001.

Below I will take you through how to use FileZilla to download copies of your files from WPMU DEV’s servers.

Not a WPMU DEV Member?

This quick tutorial should give you a good idea of what you would need to do to access your files from any hosting provider.

Orrrrrr, you could just take a look at all the awesome goodness included with our membership, take the plunge and host a site or two on our servers.

Using FileZilla To Access Your Files

First of all, let’s download FileZilla – just head to their site and get it installed.

You can now choose whether to keep reading, or follow our quick video tutorial.


Manage unlimited WP sites for free

Unlimited sites
No credit card required

In order to start the connection, you’ll need to enter your credentials as mentioned above.

To create these, you need to go to our website and into the hosting section of the hub.

You will find your sites in a list – just choose the one you want and click on ‘manage’ which will take you to the back-end of your WordPress site.

The section of the hub where you can click to manage your site preferences.
Click on the black arrow to display the ‘Manage’ button.
The section of the hub where you can make various changes to your site.
From here, click SFTP/SSH.

This will take you to the account creation screen.

The screen where you can click to add either an SSH or SFTP user.
Click ‘Add User’ and then ‘Add SFTP User’.

Here you need to choose a username and password:

The screen from which you can create SFTP credentials by entering a username and password.
You’re provided with a randomly generated password, but feel free to change it.

Your password needs to be a series of letters and numbers – and a pretty long one at that!

If your password isn’t sufficiently long enough, you won’t be able to continue – what’s the point in using a secure method of file transfer if your password is simple enough to guess?!

Now you’ve created your credentials, it’s time to head back to Filezilla to set up the connection.

The host is your website address, so enter that along with your username and password that you’ve just created within your hosting hub, and the port number, which is 22.

Click ‘Quickconnect’ and voila! You now have access to all of your WordPress files.

The screen where you input your credentials to connect to the host server.
You can save your site information for quicker connection by heading to File>Site Manager.


The list of files within FileZilla when you first connect to the server.
Just make sure you do your research before you jump in and start editing!

All you need to do now is right-click on the file you want to open and select “View/Edit”.

This will then open the file in your text editor.

Showing the opened style.css file inside the Notepad ++ text editor application.
Your file will open in the text editor (I’m using Notepad ++).

You can make the changes you need and then reupload the file back to the host server.

The pop-up which asks if you want to upload the file back to the server.
Once you click ‘Yes’, the changes will appear live on your site.

And it’s as simple as that!

The hard part is knowing what to do once you have the files within your reach.

There are tons of CSS tutorials online – check out our handy guide packed full of links to awesome resources if you’re hoping to jump into the world of web development languages, or if you just need a refresher. Also, here is another handy dandy tutorial on setting file permissions that you may find useful when working with files on your server.

Ready To Step It Up A Notch?

Another way to access your files is through the command line/terminal.

Be warned – if you have no idea what you’re doing with the command line, then I would strongly advise that you go away, do a bit of research and come back when you’re confident you’re not going to break your site!

I am simply here to show you how to access it via our hosting – what you do with that power is entirely up to you!

Unlike many hosting companies, for an added layer of security, websites hosted on our servers have one set of credentials for SFTP and one for SSH.

If all you want to do is download, make changes to your files and then reupload them, you can do this through SFTP.

If you want to do the more admin-y things such as add users or change settings, you will need to access the server via SSH instead.

It is a very similar process, however, you would need to head back over to the hosting hub and create an SSH user in the same way you did an SFTP one.

As before with FileZilla, using SFTP through the command line opens up a secure connection that allows files to be transferred over the internet.

If you’re on a Windows machine, you simply open up the command line by hitting Win+R and then typing in “cmd”. If you’re on Mac, head to ‘Terminal’ in your applications.


The screen you are greeted with when you open up the command line in Windows.
This is the screen that will appear on a Windows operating system.

You then need to establish the connection to your site by typing in the following:

sftp (your sftp username)@(your website address)

So in this example, mine would be sftp [email protected]

This is telling the server that I want to log in via SFTP with the account name ‘kirstan’ into my kirstan.wpmudev.host website.

It will then ask for your password – once you have entered this, you will have remote access to your files.

Credentials entered into the command line.
If you need to paste your password in, just right-click and hit enter.

Right, so we’re in!!

Now we can download copies of our WordPress files by simply inputting a few commands and hitting enter each time.

First, we type in “ls” so that we’re navigating within the server rather than our local machine.

The command line with the command 'ls' typed in to display the current folder.
This will firstly display the “site” folder, which is the one that contains all of your WordPress files.

Then you can navigate around the folders by using the “ls” command which will show you the list of folders and documents inside the folder you’re currently in, and “cd” which will take you to the folder you specify.

Let’s take a quick look below:

The next screen of the command line where you can see all folders and files inside the public_html folder.
It looks more daunting than it is – promise!

I am now inside the public_html folder and as you can see from above, I navigated here by typing in “cd site”, using “ls” to check the names of the folders and then typing “cd public_html”.

Each time you input a command, remember to hit enter so that it can be processed!

Your WordPress files are always organized in the same series of folders and subfolders no matter which method you choose to access them.

If I wanted to download my theme’s stylesheet, I would head into wp content>themes>twentynineteen.

I navigated to the theme’s files by using the “ls” and “cd” commands, and now I’m ready to download the file I need.

INside the Twenty Ninteen themes folder showing the list of files.
If you want to retrieve a file, you type “get” followed by the name of the file, and to upload, just replace “get” with “put”.

I typed “get stylesheet.css” and was able to easily download a copy of the file directly to my downloads folder:

The screen from where I downloaded the style.css filee.
I can then edit it and use the “put” command to send it back to the server.

Once you’ve learned the list of commands, you’ll be able to navigate your way through your WordPress site this way like it’s second nature.

If this is something you fancy getting to grips with, you can check out this ‘cheat sheet’ of some of the most frequently used SFTP commands.

Congratulations – You’ve Just Unlocked The Next Level of WordPress!

Now that you know how to get your hands on your files, you can start to think about what you’ll do with this new power.

If you fancy unleashing your imagination and customizing your perfect theme or you just want to find out a bit more about how the PHP behind WordPress really works, check out these recommended WordPress developer courses.

Or, if you’re the type of person that likes to ‘get stuck into it boots and all’ and try things out for yourself, sign up for our no-risk membership free trial and check out our secure file transfer tools and more in the [humblebrag alert!] best managed WordPress hosting on the planet.

Which way do you prefer to access your files? Do you think it's time for FTP to become obsolete? Let us know in the comments!

Kirstan Norman

Kirstan Norman Kirstan is a digital marketer from Yorkshire, England... She formerly wrote for the WPMU DEV blog on anything and everything WordPress, and provided copy for other areas of the website and business.