How to access WordPress Files

Last updated on June 15th, 2022 by Joel Farrugia. Filed under WordPress Security Tutorials & Tips

Featured image *Accessing WordPress files*

WordPress files and folders are the heart and soul of WordPress. Here you’ll find everything from the core code of WordPress to plugin and theme files, media, and everything in between. While you might need to access these files on a daily basis, knowing how to access and navigate the file hierarchy can come in handy when troubleshooting or carrying out WordPress security and hardening procedures.

There are several ways through which we can access WordPress files. The most common, however, is FTP, or rather one of its more secure siblings – FTPS or SFTP.

What is FTP?

FTP is a protocol for transferring files over a network. It was first introduced in April 1971, making it over 50 years old. While 50 years is a timespan that in IT borders infinity, FTP has not only withstood the test of time but continues to be one of the most used ways to transfer WordPress files.

How FTP works

FTP is used to transfer files between two hosts – the local host and the remote host. The local host is referred to as the client, while the remote host is the server. An FTP connection is established through an IP or DNS name and a username and password. It’s worth noting that there are some exceptions to this rule, which we will discuss shortly.

Am FTP connection consists of two channels. The first channel is called the command channel and is used to send and receive commands, while the second channel is called the data channel and is used for data transmission. As an FTP user uploading files, you will not see these two separate channels and, as such, do not have to worry about it. Nevertheless, it is interesting to know.

FTP vs SFTP

FTP is great, but it lacks security. As we said earlier, you do need a username and password to connect to FTP; however, the credentials and the data transfers are sent in clear text with no encryption at all. As mentioned earlier, some FTP connections do not even require a username and password to connect to. These are known as anonymous FTP.

FTP’s security woes are addressed through SFTP, which uses SSH, and FTPS, which uses SSL/TLS encryption. Out of all 3, SFTP is the most secure and commonly used.

How to setup FTP

If your website is hosted with a WordPress web hosting provider, you’re more than likely to have access to FTP. Most service providers use SFTP, although in some cases, you’ll also find hosting providers that offer FTPS. Whichever version of FTP your service provider uses, the process to connect and transfer files will be largely the same. It is highly unlikely that your hosting provider will use FTP or anonymous FTP.

To get started with FTP, you will first need to find your login details. These should include the IP or URI, username, and password.

Next, you will need to install an FTP client, which will allow you to connect to the FTP server and browse its folders. FileZilla is perhaps one of the most commonly used FTP clients out there and is pretty easy and straightforward to use. You will need to make sure you install the client version, since they also offer an FTP server version. Both are free and are available for systems running Windows, Mac OS X, and Linux.

If you’re hosting WordPress on your own servers, you will first need to install the FTP server. The process for this will vary according to the server’s Operating System and, if you’re running Linux, the distribution that you’re running.

How to navigate WordPress directory using FTP

Once the FTP client is installed, you will need to configure your login details and connect. Common login issues include using the wrong port and typos, so do be wary of that. Once you log in, you will see two directories – one is the FTP server and the other is your computer.

This makes it easy to locate and transfer files between the two machines. Either way, you’ll be able to find WordPress PHP files, security files such as .htaccess, and everything in between within the web directory on your server, which by default is the one on the right.

Pros and cons of FTP

While FTP is an aging technology, it is still by far one of the most widely used methods to access WordPress files. Even so, as FTP has withstood the test of time, one of the things that it has going for it is that it simply works. SFTP and FTPS address the security concerns of FTP, but even so, its age is starting to show and FTP clients do not have the fancy and easy-to-use interfaces that are prevalent in more modern technologies.

Other methods to consider when accessing the WordPress files

FTP is great, but there are other options available for connecting to a WordPress site. Which one you use will ultimately depend on your setup and what is available to you. Some of the available options are also more friendly towards users who are beginners, making them more accessible.

Tip: If you do not feel confident connecting to your live website’s FTP, you might want to try connecting to a test environment first. Many hosting providers include such test environments with hosting plans. Alternatively, you can set up your own virtual WordPress environment and use that instead. It might not be a super easy task to set up your own virtual environment from scratch, but the lessons you’ll learn along the way will be invaluable.

Local

You can access WordPress files locally by navigating to the web server’s directory if you’re physically at the machine. The exact location will differ depending on the Operating System and web server being used but can typically be accessed through the file explorer that comes with the operating system.

SSH

SSH is an acronym that stands for Secure Shell. While SSH has a few different implementations, we are interested in the remote command line. This allows us to access a WordPress server through an SSH client such as PuTTY. Windows also has a built-in SSH client; however, this is an optional feature that you must install separately.

CPanel

If your WordPress server has CPanel installed, you can access your WordPress files through the File Manager. Here you create, copy, and move files and folders and update permissions, among other actions.

Plugin

You can also use a WordPress plugin to access your WordPress files, with quite a few different ones available. Features tend to vary from one plugin to another and can include viewing and editing files and directories among other features.

To FTP or not to FTP?

Which method you use to access WordPress files will largely depend on what is available to you at any given time. FTP is quite widespread, with FTP smartphone apps making it possible to access WordPress files right from your phone. Of course, an FTP server needs to be configured on the machine that hosts WordPress; otherwise, you will not be able to connect.

Luckily, a few other solutions are available that can help you make sure you can access your WordPress files from virtually anywhere, regardless of your setup.

11 comments

Ezekiel Plenty 09/05/2012

Awsome post and straight to the point. I am not sure if this is really the best place to ask but do you people have any thoughts on where to hire some professional writers? Thanks 🙂

John Bonello 15/05/2012

Thanks for your feedback. Drop us an email on help@wpwhitesecurity.com and we will let you know. We tend to know some good copyright writer.

MMT 19/07/2012

Hi
I would like to upload a file in my web space and use it in my web site like the other web sites when I uploading my file in ftp I can’t download it I changed my file permission but it didn’t works
I really new in it could u please give me an step by step tutorial
please ….

John Bonello 19/07/2012

Hi MMT,

Unfortunately it is very difficult to know what is the problem off hand. If you would like, send us an email on help@wpwhitesecurity.com, explain the problem in detail, give us access and we will sort it out for you. Do not publish any connection details or passwords in this comments section.

Looking forward to hearing from you.

PHIL 20/02/2013

Hi after developing my wordpress website i gave it to my host who managed to upload it onto the web . However before she could upload it a deleted the file accidentally from the my local wamp server . and i have been uploading and making changes online but the site got hacked into since i had not made it secure according to my host and this is the message that the host sent to me via email and the reason why the site is not up and running currently .
Dear Client,

Your account afrisic is hosting the follwoing malicious files/scripts :

==============================================

{HEX}php.cmdshell.cih.215 : /home/afrisic/public_html/wp-content/plugins/empty-plugin-template/error.php

==============================================

This files are being abused by crackers/hackers to install malicious scripts on your account. Please note that our servers are up to date and monitored frequently against these hack/malicious attempts.
We have disabled the public_html folder for this account(s) temporarily to avoid any further exploits. This has been done for your own safety as well as to protect everyone else on the server and internet to make it a safe place for all.

We are disabling the web-access temporarily to avoid the following:

1- Suspending it blocks hackers from deleting all your files.

2- It prevents hackers from posting embarrassing index pages till you can completely secure your account.

3- It keeps hackers from stealing any further sensitive info such as logins, credit card numbers, etc. which may be in your files or databases.

4- If found quickly and rectified, it may keep your site’s reputation from being damaged in search engines.

We have disabled web access to your account so that further attacks stop and your data is secure while you work on it. You can still access the account using your control panel and FTP. We suggest you change your control panel password immediately. If you need web access to work on it, please provide us your IP address which you can find by visiting the page http://www.myipaddress.com so that we can enable web access for your local IP.

If you require a restore, please be aware that due to the amount of data we must store, our backups are rotated daily. It is imperative that you contact us immediately to request a restore of your files from backups. We can’t guarantee a backup will be available or that it will contain clean copies of your files but we will make every effort to find one prior to the date of infection for you. We can also help restore from your own backup file if you have one and you upload it to your home dir. We do recommend using the backup tool available in your control panel to always keep your own copies of your site on your own computer for safekeeping. To automate the task with a cron job, please see our forums.

When you are done changing your passwords, updating your scripts, cleaning up the files, etc. and feel the account is now secure, please let us know what you have done to correct the situation and ask for full web access to be restored. Please be reasonably sure as enabling it prior to it being fully secured can have major consequences and cause much more delay in getting back to internet life as usual.

We appreciate your cooperation. If you have any questions about securing particular popular scripts you are running, please feel free to ask.

Regards,
iSource Support

Robert Abela 20/02/2013

Hi Phil,

I am sorry to hear you are having problems with your website. We can look into your website and clean up the hacked files / malware which was injected on your website. Send us an email on support@wpwhitesecurity.com so we assist you. We will ask you for some details and once we have such details, such as FTP login and Hosting Provider CPanel access we will fix your website. Once your website is fixed, we will also send you a detailed report of all the changes we have done.

Apart from malware cleanup, we also secure WordPress. For more information about our services, refer to WordPress Security Services page.

Looking forward to hearing from you.

Kathleen 07/03/2013

I downloaded the filezilla program so that I could a child theme on my free WP twenty eleven theme. I know you’re going to laugh when I tell you what my problem is, but here goes…I don’t know what to put in the host, username, password and quickconnect fields. is this my WP username and password? No clue. Please help. 🙂

Robert Abela 07/03/2013

Hi Kathleen,

No problem. It is all explained in the article. The hostname can be the website URL (without http://). As regards the username and password in FTP, typically you can use the username and password provided by the hosting provider to be able to access the CPanel. Most of the time these work. In case they don’t, simply login to the CPanel and create a new FTP username and strong password to be able to access the website. If you need further assistance, feel free to drop me an email on robert@wpwhitesecurity.com.

Kathleen 15/03/2013

Robert,

Thanks for your help. I am still having problems with Filezilla. I will email you.

Kathleen

maris 12/03/2013

Hi,

I have an old laptop that broke and no longer have access to. I had initially set up 2 WordPress websites on that old laptop. I bought a new laptop but I have not updated either of my sites. I have installed on both blogs the database plugin and regular backup plugin. But how do I get those two blogs onto my new laptop?

Do I have to do ftp or can I just go into my dashboard and transfer everything? I have Hostgator and the videos they directed me to don’t seem to help much.

So what do I need to do to get my websites and files onto my new laptop?? Is there an easy (and painless) way to do this? If you can please help, you would be a lifesaver. Or perhaps you can direct me to an article of yours that has this info. Thanks in advance.

Robert Abela 12/03/2013

Hi Maris,

I am not sure if I am understanding you correctly, where the blogs hosted on Hostgator or you had the FTP accounts configured on your old laptop and would like to configure then on the new laptop?

What is for sure is that we will always find an easy and painless way to solve your WordPress problems 🙂 This kind of problem cannot be solved over a blog post comments though. Drop me an email on robert@wpwhitesecurity.com and we will sort this out.

Looking forward to hearing from you.

Leave a Reply

Your email address will not be published.

Our other plugins