Tag Archives: WP Engine

Using Core FTP with WP Engine SFTP

Core FTP Site Manager

Open Core FTP and open the Site Manager.  Add a new site and give it a name.  Enter your IP address or domain name into the Host / IP / URL field.

Next open the Advanced properties



Navigate to the SSH section and check the box next to Use Putty compatible SFTP.  (This is the most important step.  Otherwise you will get an Aplication Error SFTP connection error)



Set the Port to 2222 and make sure the connection type is SSH/SFTP.  Hit connect.



Don’t use Core FTP?  See our guide for other popular FTP clients that support SFTP:

Using FileZilla with WP Engine SFTP


Open FileZilla and enter your IP address or domain name into the Host field. Add sftp:// before your IP address or domain name.

It should look like this:
sftp://yourdomain.com -or-

Copy your username and password from the WP Engine dashboard into their fields.  Set the port to 2222 and connect.



Site Manager

Under the General tab, enter your IP address or domain name into the Host field.  Add sftp:// before your IP address or domain name.

It should look like this:
sftp://yourdomain.com -or-

Change the port to 2222. Make sure the SFTP – SSH File Transfer Protocol is selected.

Logon Type: Normal

Enter your username and password and hit Connect



If you are getting the following errors:

  • Error: Cannot establish FTP connection to an SFTP server. Please select proper protocol.
  • Error: Critical error: Could not connect to server

Double check to make sure you added sftp:// before your IP address or domain name


Don’t use FileZilla?  See our guide for other popular FTP clients that support SFTP:

7 Steps to Securing your WordPress installation WP Engine automatically does for you

7 Steps to Securing your WordPress installation WP Engine automatically does for you

I came across this tutorial back in June of 2013 “10 Steps to Securing Your WordPress Installation” by Fouad Matin http://wp.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation/ (which is now http://code.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation–wp-21579) which provides some quick and easy steps to take to start securing your install.  Reading through it again, I noticed that WP Engine and the newer versions of WordPress do this automatically for you.

1. Remove the “Admin” superuser

WP Engine does not create the “Admin” superuser by default, so there is no account to remove.

2. Choose a strong password

WP Engine automatically installs Force Strong Passwords plugin

3. Limit failed login attempts

WP Engine automatically uses Limit Login Attempts

4. Always update WordPress

WP Engine automatically updates to minor WordPress revisions and automatically updates to major revisions after giving notice.

5. Hide WordPress version

Not feasible.  Even if you try the techniques listed

here: http://code.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation–wp-21579

here: http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpress-version-number/

You should still be able to find the version number with a tool like Secrui.net’s SiteCheck: https://sitecheck.sucuri.net/.

This guy tells you how to do it and then doesn’t even bother himself: http://stanislav.it/wordpress-security-how-to-remove-wordpress-version-number/

6. Backup

WP Engine automatically backs up your site on a daily basis and before and after any updates they perform.  You can manually initiate a snapshot from the my.wpengine.com portal, download a snapshot zip, or request a copy of their offsite backup hosted on Amazon S3.

7. Hide your plugins directory

Nothing there.  see for yourself: https://scottontechnology.com/wp-content/plugins/

WP Engine rolling out support for TLS 1.2


I have recently noticed, first on a client’s site, then this site, that WP Engine is rolling out support for TLS 1.2.

Also numerous other improvements including

  • Removing weak Diffie-Hellman (DH) key exchange parameters. Going from a 1024-bit to 2048-bit group. (think Logjam)
  • Adding additional cipher suites
  • Supporting TLS_FALLBACK_SCSV to prevent protocol downgrade attacks
  • Additionally supporting TLS 1.1

I have been using TLS with WP Engine on this site since April 10th, 2015 and in just under two months have seen my overall rating from Qualys SSL Labs improve from a C to a B to an A-.

Graham Cluley, who also hosts with WP Engine, mentioned in his post, And it’s goodbye to HTTP from this website…, that he switched over on March 3th, 2015 and quickly replied to a comment that, “Unfortunately at the moment my hosting provider doesn’t offer TLS 1.1 and 1.2.”

Well good news for Graham, his server configuration has also been updated and he is scoring an A- as well.


and this from back in November 2014