How to Transfer WordPress Files Safely

Did you know? 41% of hacked WordPress sites in 2023 were compromised due to insecure file transfers, and downtime can cost businesses up to $5,600 per minute. Protecting your WordPress files during migration is critical to avoid data breaches, downtime, and broken functionality.

Here’s how to safely transfer your WordPress files:

• Use SFTP: Always use encrypted SFTP (port 22) instead of FTP to prevent data interception.
• Backup Everything: Create a full backup, including your database, core files, media, and configuration files.
• Secure Permissions: Set files to 644, directories to 755, and wp-config.php to 600 after transfer.
• Verify Transfers: Use checksum verification to confirm files remain intact.
• Test Your Site: Check your homepage, plugins, themes, and database connections to ensure everything works.

Quick Checklist:

1. Backup your site with tools like UpdraftPlus or phpMyAdmin.
2. Confirm your hosting supports SFTP and PHP 7.4+.
3. Use an SFTP client like FileZilla for encrypted transfers.
4. After migration, adjust file permissions and run security checks.

How to Migrate a WordPress Website to a new Server using SFTP!!

Before You Start: File Transfer Setup

Getting everything ready beforehand helps avoid data loss and keeps your transfer secure. Here’s how to prepare.

Create a Complete Website Backup

A full backup acts as your safety net. Make sure you include the following:

Component	What to Back Up
Database	All tables and stored procedures
Core Files	wp-content, themes, plugins
Media	Uploads folder and any customizations
Configuration	wp-config.php and .htaccess

Tip: Use tools like phpMyAdmin for databases, FileZilla for SFTP transfers, and UpdraftPlus for media files to streamline the process.

Check Your Hosting Requirements

Verify these hosting details to avoid compatibility issues:

1. SFTP Protocol Support: Ensure your host supports SFTP (port 22).
2. PHP Version: Make sure the version is compatible (e.g., WordPress 6.4 needs PHP 7.4 or newer).
3. Storage Space: Confirm there’s enough space available for the transfer.
4. Memory Limits: Check that the PHP memory limit is at least 256MB or more, as recommended.

You can find this information in your hosting control panel.

Store Access Details Safely

Keep your credentials secure with these methods:

Access Type	Storage Method
SFTP Credentials	Encrypted password manager
Database Details	Secure note-taking app
API Keys	Environment variables

For added security, use temporary credentials during the transfer and remove them once it’s done. Always test your access credentials before starting.

Save backups both locally and in a secure cloud storage, using clear and consistent naming (e.g., mysite_backup_20250508_full.zip). Update your credentials regularly – every 90 days or after major updates.

Following these steps will help ensure your migration goes smoothly and securely.

Moving WordPress Files: Step-by-Step Instructions

After preparing your backup and checking your hosting requirements, here’s how to move your WordPress files securely.

Set Up SFTP Connection

Set up your SFTP client to use SFTP, which encrypts data over SSH (usually on port 22). Always confirm the server’s host key (fingerprint) to make sure you’re connecting to the correct server. This helps prevent data interception and unauthorized access.

Transfer WordPress Core Files

To keep your site functional after migration, organize your file transfer carefully:

• Core WordPress Files
  • Folders: wp-admin/ and wp-includes/
  • Root files: Examples include index.php and wp-config-sample.php
• Custom Content
  • Folders: wp-content/themes/, wp-content/plugins/, and wp-content/uploads/

Preserving the original folder structure is key for your WordPress site to work properly.

Use Encrypted File Transfer

To secure your file transfer, follow these practices:

• File Encryption: Use strong encryption methods like AES-256 to safeguard your files.
• Transfer Verification: Enable checksum verification to confirm that files remain intact after transfer.
• Access Control: Use tools like IP whitelisting to limit who can access the server.
• Session Security: Set up an auto-timeout for inactive sessions to reduce risks of unauthorized access.

sbb-itb-d55364e

After Transfer: Security Checks

Once your files are transferred, it’s time to complete a few essential security checks to ensure everything is safe and working as expected.

Update File Permissions

After the transfer, adjust file permissions to protect your site. Use these recommended settings:

• WordPress files: 644 (owner can read/write; group and others can read)
• WordPress directories: 755 (owner can read/write/execute; group and others can read/execute)
• wp-config.php: 600 (only the owner can read/write)

To apply these settings, right-click the root directory, select ‘File Permissions,’ and apply changes recursively. Double-check that wp-config.php is specifically set to 600.

Check Files and Website Status

Perform these checks to ensure your site is fully functional:

• Compare file counts, sizes, and timestamps to confirm everything transferred correctly.
• Run the WordPress core verification command: wp core verify-checksums.
• Test your homepage and log in to the admin dashboard.
• Check media uploads, activate plugins, and confirm theme customizations.
• Ensure database connections are working and content displays properly.

Add Security Measures

Strengthen your site’s defenses with these steps:

• Activate ModSecurity WAF and restrict PHP execution in upload directories.
• Add .htaccess rules to prevent direct access to sensitive files.
• Install a security plugin that offers real-time monitoring.
• Set up automated malware scans.
• Limit login attempts to reduce the risk of brute force attacks.
• Enable file change detection to monitor for unauthorized modifications.

Fix Common Transfer Problems

When transfer issues arise, resolving them quickly helps maintain both security and functionality.

Fix SFTP Connection Issues

SFTP connection problems often show up as timeout errors or authentication failures. Here’s what to check:

• Port 22: Ensure it’s accessible (this is the default SFTP port).
• Protocol: Confirm your FTP client is set to use the SFTP protocol.
• SSH Key: Verify the key being used is valid.

If these checks don’t resolve the issue, try these steps:

• Use an online port checker to confirm port 22 is open.
• Temporarily disable your local firewall to test connectivity.
• Contact your hosting provider and request IP whitelisting if needed.

Correct Permission Errors

A "403 Forbidden" error usually means file permissions are incorrect. Here’s a quick reference for typical file and directory permissions:

File Type	Typical Permission	Example Path
Directories	755	/wp-content/
Regular Files	644	style.css
wp-config.php	600	wp-config.php
.htaccess	644	.htaccess

To fix permissions:

• Using an SFTP Client:
  • Use the "View/Edit Permissions" option.
  • Apply changes recursively for directories.
  • Set wp-config.php permissions separately.
• Using SSH:

  find /path -type d -exec chmod 755 {} \;
  find /path -type f -exec chmod 644 {} \;
  chmod 600 wp-config.php
  

Once permissions are corrected, move on to addressing content-related issues.

Fix Broken Links and Database Issues

After confirming file transfers and permissions, check for content inconsistencies like broken links or database errors.

Database Connection Errors:

• Ensure wp-config.php credentials match the new hosting environment.
• Verify database user privileges.
• Add this line to wp-config.php to enable direct file system access:

  define('FS_METHOD','direct');
  

Broken Media Links:

• Use the Better Search Replace plugin to update database URLs.
• Update the siteurl and home values in the wp_options table via phpMyAdmin.
• Set up 301 redirects for any changed URLs.

500 Internal Server Error:

• Reset .htaccess to WordPress default rules.
• Enable debugging in wp-config.php to identify issues.
• Check that file ownership matches the web server user.

Conclusion: File Transfer Safety Checklist

Here’s a handy checklist to ensure your file transfer process stays secure and smooth. Each stage includes key actions to protect your data:

Stage	Essential Actions	Security Level
Pre-Transfer	Back up files with tools like UpdraftPlus, confirm PHP 8.0+ compatibility, secure access credentials	Critical
During Transfer	Use SFTP on port 22, keep the file structure intact, monitor transfer progress	High
Post-Transfer	Set proper permissions, run a malware scan, verify SSL configuration	Critical

To enhance security, enable two-factor authentication, maintain three backup copies (two local, one offsite), and stick to encrypted protocols for all transfers.

WPBeginner‘s 2024 data shows that 23% of migration failures happen due to incomplete backups. Avoid this by testing your backup restoration process before transferring. Additionally, CodeGuard (2023) found a 34% failure rate in backup recovery attempts, underscoring the importance of thorough testing.

For large file transfers, simplify your workflow with this command:

rsync -avz -e ssh /local/path user@host:/remote/path

This checklist provides a clear and thorough approach to secure WordPress file migration, ensuring your transfers are both safe and reliable.

FAQs

Why should I use SFTP instead of FTP for transferring WordPress files securely?

Using SFTP (Secure File Transfer Protocol) instead of FTP is crucial for secure WordPress file transfers because it encrypts the data being transmitted. This ensures that sensitive information, like your login credentials and website files, is protected from interception by malicious actors.

FTP, on the other hand, transmits data in plain text, making it vulnerable to security breaches. By using SFTP, you add an extra layer of protection to your WordPress site during migrations or file updates, safeguarding your website from potential threats.

What should I do if I get permission errors after moving my WordPress files?

If you encounter permission errors after transferring your WordPress files, it’s likely due to incorrect file or folder permissions. To resolve this:

1. Check file and folder permissions: Use an FTP client or your hosting control panel to ensure files are set to 644 and folders to 755. Adjust permissions as needed.
2. Verify ownership settings: Confirm that the files and folders are owned by the correct user, usually the one associated with your hosting account.
3. Update .htaccess or wp-config.php: If permissions are correct but errors persist, check your .htaccess and wp-config.php files for any misconfigurations.

If you’re unsure, reach out to your hosting provider for assistance or consult a WordPress expert to ensure everything is configured securely and correctly.

How can I make sure my WordPress backup is reliable before transferring files?

To ensure your WordPress backup is reliable, it’s important to test it before transferring your files. Start by restoring the backup in a staging environment or a local setup to confirm that all data, plugins, and themes are intact and functional. This step helps identify any potential issues and prevents data loss during migration.

Additionally, double-check that the backup includes all critical components, such as your database, media files, and configuration settings. Taking these precautions will give you confidence that your backup is complete and ready for a smooth transfer.

Related posts

• WordPress Security Checklist: Essential Hosting Settings
• How to Secure WordPress During Migration
• How to Create a WordPress Downtime Recovery Plan
• 7 Steps to Restore WordPress After Hosting Failure