If you’ve ever found an unexpected wp-admin login alert or a strange new admin user, you already know this is the scary part: hacks often start with something “small.” In many cases, the first weak link isn’t the WordPress theme or a plugin at all—it’s the way files were uploaded.
Direct answer: When you can choose, SFTP is the safest upload method for WordPress because it encrypts the connection. FTP sends data in plain text, and most “File Manager” tools still add extra risk if you don’t lock them down properly.
As of 2026, most good hosts support SFTP, and security teams keep pushing for it because it stops a common attack: sniffing credentials or session details on the network. I’ve cleaned up WordPress sites where the logs pointed straight at bad upload habits, not just “mystery malware.”
What counts as an “upload method” for WordPress security?
An upload method is how your files get from your computer (or a tool) to your hosting account. For WordPress, that usually means pushing themes, plugins, backups, or replacing core files after troubleshooting.
The upload method matters because it changes two things: how safe the connection is and how easy it is for an attacker to get in. “If attackers can read the traffic or steal your login,” they can plant web shells, change PHP files, or drop new admin users.
In the WordPress security cluster, this connects directly to what we cover in other posts like WordPress login hardening tips and how malware usually infects WordPress. File upload security is part of the same chain.
SFTP vs FTP vs File Manager: the real WordPress risk differences
The key difference is whether the data in transit is encrypted and how much control you have over permissions and access. Here’s the quick breakdown I use when I’m advising a small business owner after a cleanup.
| Method | Connection security | Common weak points | WordPress hacking risk (typical) |
|---|---|---|---|
| SFTP (Secure File Transfer Protocol) | Encrypted | Bad SFTP user permissions, shared credentials, no 2FA on the host | Lower (best choice) |
| FTP (File Transfer Protocol) | Not encrypted (plain text) | Credentials can be sniffed on public Wi‑Fi, brute force, stolen sessions | Higher |
| File Manager (host web UI) | Varies by host; often HTTPS, but access can be easier for attackers | No proper role limits, weak host login, editing PHP directly | Medium to high (depends on your setup) |
This table is not “perfect science,” because risk depends on your host settings, your passwords, and whether you use 2FA. But in my experience, SFTP wins every time you compare it to plain FTP and risky file editing inside the host panel.
SFTP for WordPress uploads: why encryption matters in real attacks
SFTP refers to Secure File Transfer Protocol, and it encrypts the connection between your device and the server. That encryption is the main reason SFTP reduces WordPress hacking risk.
Here’s the part people miss: an attacker doesn’t always “hack WordPress” first. Sometimes they steal your FTP login when you’re working from a coffee shop or a shared office Wi‑Fi. If they capture your username and password, they can upload a file that looks normal but isn’t.
In WordPress malware cleanups, one of the most common patterns is a modified PHP file inside these places:
- /wp-content/uploads/ (malicious scripts in “images” or disguised files)
- /wp-content/themes/ or /wp-content/plugins/ (tiny backdoors)
- /wp-includes/ (less common, but it happens when the site is already deeply compromised)
With SFTP, the attacker can’t just sit and watch your login details pass by. It blocks the “sniffing” step.
Best-practice SFTP settings for WordPress (2026)
These are practical settings I recommend when a client tells me they want safer uploads but don’t know what to change.
- Create a dedicated SFTP user for WordPress uploads (don’t reuse your main host admin login).
- Use strong passwords and turn on 2FA on the hosting panel. SFTP helps with transport, but your host login still matters.
- Set tight permissions: files usually 644, folders 755 for WordPress. If you’re unsure, ask your host or a tech.
- Limit what that user can write (ideally only /public_html and specific subfolders). Some hosts let you restrict paths.
- Use SSH keys if your host supports it. Password logins are fine, but keys are harder to steal.
Real-world note: I’ve seen clients where SFTP worked perfectly… and the SFTP user still had write access to the entire account. That didn’t cause the hack directly, but it made damage bigger once the attacker got in through another door.
FTP for WordPress uploads: why it’s still common and why it’s dangerous
FTP is still used because some old guides and some website tools default to it. But FTP does not encrypt your login or file data, which makes it a direct risk for WordPress security.
Plain FTP means your password can be read if someone captures network traffic. This is easier on public Wi‑Fi, shared office networks, and sometimes in poorly secured hosting environments.
FTP risk shows up in hacks in two ways:
- Credential theft: attacker steals FTP username/password, then uploads malicious PHP.
- Session hijacking: attacker may reuse stolen sessions or push files during an active window.
What people get wrong about FTP vs SFTP
Most people assume “I’m behind HTTPS on my website, so everything is safe.” That’s not how FTP works. HTTPS protects browser-to-server traffic for pages, not your FTP login traffic.
Another common mistake: people use FTP only once a year, thinking it’s “not often.” Attackers don’t need daily access. One successful upload of a backdoor can last months.
If you must use FTP, what’s the least-worst option?
I’m going to be blunt: if your host supports SFTP, choose SFTP. If you absolutely can’t, ask the host if they offer FTPS (FTP over TLS). FTPS adds encryption.
If they don’t, here are mitigation steps that at least reduce the damage:
- Only upload from a trusted network (home office, not public Wi‑Fi).
- Use a dedicated FTP account with the least possible permissions.
- Change the FTP password often and after any suspicion.
- Turn on host panel 2FA and strong password rules.
Then plan your switch to SFTP. As of 2026, most quality hosts support it, even if older tutorials don’t mention it.
File Manager uploads in cPanel (and similar tools): fast, but risky if permissions and editing are loose
File Manager usually means editing or uploading files from a web panel in your browser. It’s convenient, but it changes the threat model because it depends heavily on who can log into the hosting panel.
Even if the panel uses HTTPS (so traffic is encrypted), an attacker doesn’t need to sniff anything if they can get into your host login. Once they’re in the panel, they can edit PHP files directly.
In malware removal work, I’ve seen web shells dropped through the file editor because it’s quick and doesn’t require extra software. The “looks normal” part is the killer: the attacker adds a tiny PHP file that looks like part of a theme or a tool.
When File Manager is okay for WordPress (realistic scenarios)
File Manager can be okay if you treat it like a powerful admin tool, not a casual editor.
I’ve found it’s usually fine when:
- You use a hosting panel login with 2FA.
- You restrict admin access to your IP (some hosts offer this).
- You don’t have other users sharing the same panel password.
- You only use it for small, quick tasks like moving a plugin folder—not for long-term manual file changes.
If any of these are missing, File Manager tends to raise the odds of a real compromise.
File Manager security checklist (do this before you upload again)
- Turn on 2FA for your host control panel accounts.
- Remove unknown admin users in the hosting panel and WordPress dashboard.
- Disable PHP execution in uploads where possible (many hosts offer a setting). This is a big deal because attackers love dropping PHP inside uploads.
- Set correct ownership: files should belong to the right system user so you don’t end up with weird permission mistakes.
- Log activity: use host logs or security plugins so you can spot suspicious edits fast.
Which method reduces WordPress hacking risk the most? (My recommendation)
If you want the lowest hacking risk in normal WordPress work, SFTP is the winner. Next comes FTP only if it’s protected by encryption like FTPS (but don’t assume your setup is). File Manager is “safe enough” only when the hosting panel is locked down hard.
Here’s how I decide when a client is choosing an upload method:
- Choose SFTP if you can. It encrypts the connection and supports better access control via separate users.
- Avoid plain FTP. If you see FTP in your workflow, treat it like a risk you haven’t fixed yet.
- Use File Manager carefully. If you need it, limit who can access the host panel and keep 2FA on.
A practical “safe upload” workflow you can copy
This is the exact kind of routine I ask clients to follow after a cleanup. It’s simple, but it prevents a lot of repeat problems.
- Update WordPress and plugins first (risk reduction). Malware loves old versions.
- Use SFTP to upload only what you need (themes, plugins, or specific fixes).
- Before and after each upload, compare file changes if your host provides a file diff or checksums.
- Restart your security checks immediately after upload: scan with your security plugin and check admin users.
- Watch server logs for 24 hours. Many attackers make a second attempt right after the initial upload window.
If you want more cleanup-focused steps, our WordPress malware recovery steps guide covers what to check in the files and the database.
People Also Ask: SFTP vs FTP vs File Manager
Is SFTP secure enough for WordPress file uploads?
Yes—SFTP is secure enough for WordPress uploads because it encrypts the connection. Security still depends on your host panel login and permissions, but SFTP removes the biggest “transport” weakness that plain FTP has.
Is File Manager safer than FTP?
Sometimes, but it’s not automatically safer. File Manager can be safer than plain FTP if your host panel has strong 2FA and strict user access. If an attacker gets into your host panel, File Manager becomes a fast way to do damage.
Can WordPress get hacked just by uploading a plugin or theme?
Yes. If someone uploads a tampered plugin file or a compromised theme package, WordPress will run that PHP. That’s why you should only upload files you trust, and always scan after changes.
One of the worst real scenarios I’ve seen: a client downloaded a “free premium plugin” from a random site, then uploaded it using FTP to “save time.” The hack didn’t look like ransomware—it looked like a small backdoor in a PHP file.
What should I do if my site was hacked after file uploads?
Do these steps in order: take a backup, change credentials (WordPress and hosting), remove unknown files, scan, then restore clean versions of themes/plugins. We also recommend reviewing upload logs and checking for new admin users, because attackers often come back with a second script later.
If you need a step-by-step checklist, see our WordPress incident response checklist.
Real-world case pattern: the “upload method” clue I look for first
When I review compromised-site reports, I look for a boring pattern: the method used to upload the last changes right before the hack. In 2025–2026 cleanups, a lot of the “how it happened” stories had one thing in common—people were still using FTP or using File Manager without strict access rules.
One small business client had a developer upload changes from a laptop on guest Wi‑Fi. Later, they found new files in /wp-content/uploads/ and a modified PHP file in a theme folder. When we blocked the hosting panel access and switched their workflow to SFTP, the repeated login attempts stopped.
That wasn’t magic. It was just removing the easiest path for attackers to plant files.
Actionable hardening steps that reduce risk regardless of method
Even if you pick SFTP, you still need hardening. Upload methods reduce some risks, but they don’t stop all attacks by themselves.
Lock down WordPress admin access
- Use strong passwords and turn on 2FA for WordPress logins (many security plugins do this).
- Remove unused admin accounts and keep roles tight.
- Set up alerts for new admin users and failed login spikes.
This connects with our WordPress hardening tips for logins and roles because stolen credentials are still the most common first step.
Prevent PHP execution where attackers like to hide
Most web shells love hiding in places they think admins won’t watch. A big win is preventing PHP execution in /wp-content/uploads. Many hosts provide a simple control for this.
If you run a multisite or have unusual folder setups, check with your host so you don’t break normal uploads.
Monitor file changes after every upload
Good monitoring catches problems before search engines or customers do. After uploading files, check:
- Any new .php files you didn’t create
- Changes to theme/plugin core files
- Modified timestamps around the upload window
- New scheduled tasks (cron) or unfamiliar admin users
This is also where our malware cleanup guides pay off, because they show what to look for first when you’re under pressure.
Conclusion: pick SFTP, lock down the panel, and stop “easy” uploads
To reduce WordPress hacking risk, choose SFTP whenever you can. It encrypts the connection, which removes a common path attackers use to steal credentials or inject malicious files.
Avoid plain FTP. If you’re using File Manager, treat it like a loaded weapon: only allow trusted accounts, keep 2FA on, and limit edits and permissions.
If you want a clean rule you can stick to in 2026: SFTP for uploads + strict host panel access + file change monitoring is the combination that stops most “upload-based” compromises before they start.