Skip to content

Easy WordPress Updates: Store FTP Info in wp-config.php

Saw an interesting blog post on Twitter today about storing WordPress FTP information in wp-config.php. The article was written in German so I sent the author an email to ask if he’d mind me translating it. Phil, the author, very kindly said yes – so my translation is below.

Since the addition of the automatic updates in the WordPress core became available, there has been the possibility of FTP data in the backend. Then you can get both plugins and the core by clicking on the date. However WordPress then stores the login information in the blog database. This can be a potential security issue. If someone were to gain access to your database then they would also have access to your entire server. One way of reducing the risk is to use the approach outlined below.

Editing wp-config.php


The wp-config.php file can be used to define constant values so that the usage of a database can be removed. This makes the database smaller, and so improves site performance. For the FTP access the constants are as follows and should be added to the bottom of your wp-config.php file:

define('FTP_HOST', '');
define('FTP_USER', 'username');
define('FTP_PASS', 'password');

Secure Connection

For a secure connection add the following line (default: false):

define('FTP_SSL', true);


If the WordPress installation is not in the root directory of the FTP server you can define the location as follows:


Have you moved the plugin directory or all of the content folder? You can also specify the full path using these two constants:

define('FTP_CONTENT_DIR', '...');
define('FTP_PLUGIN_DIR', '...');


Finally, you can also adjust the method to be used by WordPress for the file system. This often hides errors if something goes wrong with the file permissions. You should only change this value if errors occur, most of the time the default will work just fine.

define('FS_METHOD', 'direct');

The following methods are possible:

  • direct (default) – PHP file system functions
  • ssh – SSH PHP Extension
  • ftpext – FTP PHP Extension
  • ftpsockets – PHP socket extension

The constants FTP_PUBKEY, FTP_PRIKEY display the paths to the SSH public key and private key SSH specify.

Delete existing data

If you’re unsure whether access data already stored on WordPress, you can search the WordPress options in the database using the following page on your website:

There you should search for the entry: ftp_credentials

If this is present, you have already stored the FTP data in your database. You can delete it by simply removing the value in the ftp_credentials field on the options page, then scrolling to the bottom, and pressing save. You should be very careful doing this though as there is potential for your website to be broken when doing this.

More information

Further Information can be in the WordPress Codex:

Ben View All

Ben is a lifelong Nintendo fan who also likes to build websites, and develop games. He also buys way too much Lego.

6 thoughts on “Easy WordPress Updates: Store FTP Info in wp-config.php Leave a comment

  1. I believe that “define(‘FS_METHOD’, ‘direct’);” means NOT to use the FTP credentials, but use the built in PHP file system functions.

  2. I agree that storing passwords is a bad idea. If it is stored in the database there is a greater chance for someone to get the FTP info, in fact, is damn pretty easy, you can change the code of a plugin and all data is yours.

    If the data is stored in the wp-config it may be a little better, but not much. The problem is that there are many ways to get it from there, but we may look on the problem from a different point of view. If we use only trusted plugins we think we are safe enough to stop worrying for the 0.0001 change to be hacked with brute force or other intrusive methods.

  3. define(‘ftp_user’, ‘username’);

    Needs to be uppercase FTP_USER or you can (and often will) get internal server errors 🙂

  4. Seems there’s a typo here:

    Missing ‘
    should be


Leave a Reply

Your email address will not be published. Required fields are marked *