Moving files to and from your website shouldn’t be a headache. If you manage a WordPress site, you’ll likely use FTP or SFTP to upload content, update themes and plugins, or download backups. Here’s how to do it safely, without the jargon.

What’s going on

FTP (File Transfer Protocol) is the older, basic way to move files between your computer and your web server. It works, but it sends your login and data in plain text — like sending a postcard.

SFTP (Secure File Transfer Protocol) does the same job but encrypts everything using SSH — more like a sealed, tamper-evident envelope. For modern websites and teams, SFTP is the sensible default for WordPress security and malware protection.

Key differences at a glance

• Security: FTP is unencrypted; SFTP encrypts logins and files in transit.
• Ports: FTP usually uses 21; SFTP uses 22.
• Set-up: Both feel similar in an FTP client, but SFTP keeps your data private over office, home or public Wi-Fi.

Note: You may also see FTPS (FTP over TLS). That adds encryption to FTP. If in doubt, choose SFTP — it’s widely supported and straightforward.

Connect the safe way (use SFTP)

1. Install an FTP client: e.g. FileZilla.
2. Enter your details:
   • Hostname — your server’s IP or domain (e.g. example.com).
   • Username — your SFTP user.
   • Password — or SSH key, if configured (more secure).
   • Port — 22 for SFTP (avoid 21/FTP).
3. Transfer files: you’ll see local files on one side and server files on the other. Drag and drop to upload, download or replace items.

Helpful settings that save time

• Default directory: set your login to land in your site’s root (often public_html or htdocs) so you’re always in the right place.
• Passive mode: makes connections work better through firewalls. Most clients enable this automatically; turn it on if you struggle to connect.
• Connection limits: limit simultaneous transfers so you don’t overwhelm the server during big uploads.

Common hiccups and quick fixes

• Large upload dropped? Use the client’s Resume option rather than restarting.
• Timeouts? Some servers disconnect idle sessions. Enable a Keep Alive setting in your client.
• Permission denied? Your user may not have rights for that folder. Ask your host to adjust permissions or provide the correct SFTP user.

Why this matters for your business

• Security & compliance: encrypted transfers reduce the risk of credential theft and data exposure — important for GDPR and customer trust.
• SEO & reputation: avoiding compromised uploads helps prevent injected malware that can tank search rankings and conversions.
• Operational calm: fewer connection issues mean smoother website maintenance and faster changes.

Prevention and resolution: practical steps

• Disable plain FTP at your host; allow only SFTP.
• Use strong, unique passwords or, better, SSH keys.
• Limit access: create per-person SFTP accounts with only the folders they need.
• Back up regularly so you can roll back quickly if something goes wrong.
• Add a web application firewall (WAF) and security monitoring to block attacks and spot anomalies early.
• Keep WordPress, plugins and themes updated with managed updates to reduce vulnerabilities.
• If you suspect malware, pause logins, restore a clean backup, and arrange prompt malware removal.

How matm can help

• Managed WordPress, plugin & theme updates to keep your site protected and performant.
• Security monitoring and WAF setup for proactive defence.
• Regular backups & fast site recovery for business continuity.
• Malware removal and emergency response if the worst happens.

Want friendly, plain-English support for secure file transfers and wider WordPress security? Email [email protected] or call 01952 883 526.

Attribution: Based on research by Sucuri.