ZeroToWP

SFTP

Quick Definition

SFTP (SSH File Transfer Protocol) is the secure way to transfer files between your computer and your WordPress server. Unlike FTP, SFTP encrypts everything — your password, your data, and your commands.

Secure file transfer — SFTP encrypts all data between your computer and server

What Is SFTP?

SFTP (SSH File Transfer Protocol) is a network protocol for securely transferring files between your computer and a remote server. It was designed by the Internet Engineering Task Force (IETF) as an extension of SSH (Secure Shell) version 2.0.

The key difference from FTP: SFTP encrypts everything. Your username, password, and all file data are transmitted through an encrypted SSH tunnel. With standard FTP, all of this is sent in plain text — anyone monitoring the network can read it.

Important distinction: SFTP is not FTP running over SSH. It's a completely separate protocol designed from the ground up to be secure. There's also FTPS (FTP over TLS/SSL), which is yet another protocol. In practice, SFTP is the most widely supported secure option.

SFTP in Practice

SFTP uses port 22 (the same as SSH), while FTP uses port 21. To connect via SFTP, you need:

  1. An SFTP clientFileZilla supports both FTP and SFTP. Other options: WinSCP (Windows), Cyberduck (Mac), or Transmit (Mac).
  2. SFTP credentials from your host — hostname, username, password (or SSH key), and port 22

In FileZilla, select "SFTP - SSH File Transfer Protocol" from the Protocol dropdown. Everything else works the same as FTP — browse your server files, upload, download, edit.

SFTP vs. FTP vs. FTPS:

  • FTP — Port 21, unencrypted, insecure. Don't use it.
  • SFTP — Port 22, fully encrypted via SSH. Use this.
  • FTPS — Port 990 (implicit) or 21 (explicit), encrypted via TLS/SSL. Less common than SFTP.

All reputable WordPress hosts support SFTP: SiteGround, Hostinger, Bluehost, Kinsta, Cloudways. Some (like SiteGround and Kinsta) also provide SSH access for command-line file management via WP-CLI.

Why It Matters

Using FTP instead of SFTP is like sending your house key on a postcard. Your hosting login credentials are the keys to your entire site — if someone intercepts them, they have full access. Always use SFTP. It's the same ease of use as FTP with the security your site deserves. See our security guide and file permissions guide for more.

Sources: Developer.WordPress.org, Developer.WordPress.org — WP_Filesystem_SSH2

Related Terms

FTPFTP (File Transfer Protocol) is a method for uploading and downloading files between your computer and your WordPress hosting server. SFTP is the secure, encrypted version you should use instead.PHPPHP is the server-side programming language that WordPress is built with. It processes your WordPress code on the server and generates the HTML pages that visitors see in their browser.SSLSSL (Secure Sockets Layer) is the technology that encrypts the connection between your website and its visitors. Today it technically runs on TLS, but everyone still calls the certificate an "SSL certificate."

Related Articles

WordPress File Permissions — Security Best Practices ExplainedWrong file permissions are one of the most overlooked WordPress security holes. I've seen sites hacked because wp-config.php was world-readable. Here's exactly what every file and folder should be set to, and how to fix it.WordPress Security Guide: 12 Steps to Protect Your SiteWordPress doesn't get hacked because it's insecure — it gets hacked because people skip basic precautions. Here are the 12 security steps I follow on every site I build, ranked by importance.How to Migrate WordPress to a New Host — 3 Methods (Without Losing Anything)A step-by-step guide to migrating your WordPress site to a new host using All-in-One WP Migration, Duplicator, or manual FTP — with pre-migration checklists, post-migration verification steps, and fixes for the most common problems.
← Back to WordPress Glossary