Storing FTP credentials for automatic updates


WordPress periodically deploys updates to secure flaws within its code or provide general enhancements. These updates are rolled out in the form of releases that, as of WordPress 3.7, can occur in the background automatically without requiring user intervention. If permissions prohibit, WordPress cannot perform an automatic update and require user intervention to manually update.


Edit wp-config.php located within the document root of your WordPress domain or base of the subdirectory if located elsewhere under a domain. Add the following 3 lines to the end of your configuration file:

/** Setup FTP Details **/
define("FTP_HOST", "localhost");
define("FTP_USER", "your-ftp-username");
define("FTP_PASS", "your-ftp-password");

Substitute, of course, your-ftp-password and your-ftp-username with your FTP credentials. FTP_HOST should remain the same (“localhost“).


Since your FTP configuration, which is equivalent to control panel credentials, is stored in a wp-config.php file accessible by the web server, if an attacker gains unauthorized access to your WordPress installation, then the attacker will also have access to view the credentials inside wp-config.php. For this reason, it is advised that if you choose this route, create a new user within the control panel (User > Add User) to manage web files apart from the primary user on the account. In the event this account is compromised, then the attacker would only have access to the FTP account for that user, and not the master control panel login. And even then, if the account were hacked, an attacker would already be able to snoop those files!

Leave a Reply