Thursday, July 9, 2026
All guides
Troubleshooting guide Updates

WordPress Keeps Asking for FTP Credentials? Here's the Actual Fix

You click Install Plugin or Update Now and WordPress throws up a form demanding FTP hostname, username, and password. The prompt is not a security feature, it is a file-permissions symptom. Here is what triggers it, why entering FTP details is the wrong long-term answer, and the two-line fix that stops it for good.

Arjun Mehta Published July 9, 2026 Last reviewed July 9, 2026 12 min read Step-by-step walkthrough
Reviewed and tested by the WPRescue team on a real WordPress install before publishing. How we test fixes
WordPress FTP credentials prompt shown during plugin install

What's Happening

You go to install a plugin, run a theme update, or apply a core update and WordPress interrupts you with a screen that reads 'To perform the requested action, WordPress needs to access your web server' followed by fields for Hostname, FTP Username, FTP Password, and a Connection Type dropdown. Filling that form in with real FTP credentials works once, but the prompt keeps coming back on every future update. The root cause is that the PHP process running WordPress does not own the files it is trying to modify, and WordPress is asking you for another way in.

The FTP credentials prompt is one of those WordPress screens that looks like it wants a security answer and actually wants a permissions answer. You are trying to install a plugin, WordPress refuses, and it presents a form asking for FTP hostname, username, and password. Most people either type their real FTP details in and move on, or they Google the error and paste an FTP snippet into wp-config.php that hardcodes their credentials. Both approaches work in the short term. Both come back to bite the site.

The prompt exists because WordPress cannot always write to its own filesystem. When PHP is running as one user and the files are owned by another, the direct-write attempt fails and WordPress falls back to the next method in its chain: FTP. The prompt is the fallback surfacing to the user. Fix the ownership, the fallback never gets triggered, and the prompt never appears again.

This guide covers the two-line fix that works when ownership is already right, the ownership repair that works when it is not, and the exact reasons the prompt keeps reappearing after a migration, a backup restore, or a plugin install that ran as root.

What the prompt actually means

WordPress has a filesystem abstraction layer called WP_Filesystem. Every time core, a plugin, or a theme needs to create, modify, or delete a file (plugin installs, theme updates, core auto-updates, cache writes in some plugins), it goes through WP_Filesystem. The abstraction tries four methods in a fixed order: direct, ssh2, ftpext, and ftpsockets.

Direct means PHP writes to the disk itself using file_put_contents and fwrite. This is the fastest, safest method and it is what WordPress prefers. It only works when the user PHP is running as owns the files it is trying to modify. If it does not, PHP throws a permission denied error and WordPress moves down the chain.

ssh2 requires the PHP ssh2 extension, which most shared hosts do not enable. It fails silently. ftpext requires the FTP extension, which is more common but still needs credentials. ftpsockets is a pure-PHP FTP client that works almost anywhere. Once WordPress has fallen through to one of the FTP methods, it needs credentials to log in, and that is when the prompt appears.

So the prompt is not asking you to prove who you are. It is telling you 'I cannot write files as myself, please give me a way to log in as someone who can.'

The three reasons ownership goes wrong

In 12 years of fixing this on client sites, almost every case falls into one of three buckets. Knowing which bucket you are in tells you which fix to run.

  • You migrated the site and the migration tool created files as a different user than the target host's PHP user (most common cause)
  • A support person or a script ran as root, and now a handful of files inside wp-content are owned by root instead of your account
  • The host changed its PHP handler (from mod_php to PHP-FPM or LiteSpeed's LSAPI) and the PHP user changed with it, leaving the old files under the old owner

Step 1: Find out who PHP is running as

Before you fix ownership you need to know what to set it to. Drop a one-line file at the root of your WordPress install called whoami.php with a single line that prints the current process user. Load it in a browser, note the username, then delete the file. Leaving a whoami probe on a live site is a small but real information disclosure risk.

phpDelete this file the moment you are done. Never leave PHP probes on a production site.
<?php
// Save as whoami.php at the WordPress root, load once, then delete.
echo 'PHP is running as: ' . get_current_user() . ' (uid ' . posix_geteuid() . ')';

Step 2: Check current ownership

Over SSH, cd into your WordPress root and run ls -la. The third column of the output shows the owner of each file. Every file and folder should show the same username the whoami probe returned. Anything showing root, apache, nobody, or a different account is the source of the FTP prompt.

If you do not have SSH, use the File Manager in cPanel or Plesk. Right-click a file, choose Properties or Change Permissions, and the ownership row shows the current owner. Spot-check wp-content, wp-content/plugins, and wp-content/uploads first, those are the folders WordPress writes to most.

bashReplace 'yourphpuser' with the username from step 1. Any output from the find command is a file that needs its owner reset.
# Run inside your WordPress root over SSH
ls -la | head -20
ls -la wp-content/ | head -20

# Look for any file NOT owned by your PHP user
find . ! -user yourphpuser -print | head

Step 3: Fix the ownership

On a cPanel host with SSH, the fix is a single chown command run as root or with sudo. Replace youruser with the username PHP runs as (usually the same as your cPanel account name) and adjust the path to your document root.

If you do not have root SSH access, use cPanel's Fix File Permissions tool or ask your host to run the reset for you. Every reputable host has a one-click or ticket-based option for this. Do not try to guess and chmod your way out, ownership is separate from permissions and chmod does not change it.

bashRun as root or with sudo. Folders 755, files 644, wp-config.php 600. Never use 777 anywhere.
# Reset ownership across the whole WordPress install
sudo chown -R youruser:youruser /home/youruser/public_html/

# Then set safe permissions
sudo find /home/youruser/public_html/ -type d -exec chmod 755 {} \;
sudo find /home/youruser/public_html/ -type f -exec chmod 644 {} \;
sudo chmod 600 /home/youruser/public_html/wp-config.php

Step 4: Add FS_METHOD to wp-config.php

Once ownership is correct, tell WordPress to skip the FTP fallback entirely. Add one line to wp-config.php above the 'That's all, stop editing' comment. This forces the direct method and makes the FTP prompt impossible to trigger.

If you set this line and updates start failing silently, ownership is not actually fixed. Remove the line, go back to step 3, then add it again.

phpAdd above the '/* That's all, stop editing! Happy publishing. */' line in wp-config.php.
// Force WordPress to write files directly. Requires correct file ownership.
define( 'FS_METHOD', 'direct' );

What NOT to do

The internet is full of quick-fix advice that silences the prompt and leaves your site less secure than before. These are the three worst suggestions I see recommended and why they are wrong.

  • Do not chmod 777 wp-content. This makes every file world-writable, which is how mass shared-hosting compromises happen. Malware scanners flag 777 folders automatically.
  • Do not hardcode FTP credentials in wp-config.php using FTP_HOST, FTP_USER, and FTP_PASS. This puts plaintext credentials in a file the whole PHP process can read, and any plugin vulnerability leaks them.
  • Do not disable auto-updates to make the prompt go away. WordPress auto-updates ship security patches and turning them off is a bigger risk than the FTP prompt itself.

A migration case that took ten minutes to fix

A client had moved a WooCommerce store from a Bluehost shared plan to a Hostinger VPS using a manual export and FTP re-upload as a different account. On the new server, every plugin install and update triggered the FTP prompt. They had entered their FTP details three times that week and were about to hardcode them in wp-config.

One SSH session, one chown command across public_html, one FS_METHOD line added to wp-config.php. Total time under ten minutes. The prompt has not reappeared in seven months.

That is the pattern: FTP prompt after a migration is almost always ownership drift from the transfer, not a real filesystem or security problem. Fixing it once, correctly, saves hours of one-off credential entry over the life of the site.

Final checklist

Run through this list before you close the tab. If any item is unchecked, the FTP prompt will come back on the next update.

  • You confirmed the user PHP runs as with a whoami probe (and deleted the probe file)
  • Every file inside the WordPress root is owned by that user, verified with ls -la or a File Manager spot check
  • Folders are 755, files are 644, wp-config.php is 600, no 777 anywhere
  • FS_METHOD is set to 'direct' in wp-config.php
  • You did NOT hardcode FTP_HOST, FTP_USER, or FTP_PASS in wp-config.php
  • A test plugin install from Plugins > Add New completes without prompting for FTP credentials
  • If you are on a managed host and still see the prompt, you have opened a support ticket instead of trying to fix it yourself

Complete Fix Checklist

  1. 1Confirm the prompt is a file-ownership problem, not a broken filesystem, by checking who owns wp-content on your host.
  2. 2Fix the ownership so the PHP user (usually the same as your cPanel user) owns every file inside the WordPress root.
  3. 3Add define('FS_METHOD', 'direct'); to wp-config.php so WordPress writes files directly instead of falling back to FTP.
  4. 4If ownership is right and the prompt still appears, check that wp-content and wp-content/upgrade are writable (755 for folders, 644 for files).
  5. 5Never leave real FTP credentials in wp-config.php as a workaround, that is a security risk and it hides the underlying permissions issue.

Quick Tips

  • The FTP prompt is a fallback, not a security check, WordPress only shows it when it cannot write files directly
  • Chmod 777 will silence the prompt and also gets your site flagged by every malware scanner, do not use it
  • If the site is on nginx or LiteSpeed, the PHP user is set in the pool config, not by cPanel, check with your host if unsure

Frequently Asked Questions

Why is WordPress suddenly asking me for FTP credentials?
Because the PHP process running WordPress cannot write to the files it needs to modify. WordPress tries three methods in order: direct file writes, then FTP extension, then FTP sockets. If direct fails because of file ownership or permissions, it falls back to asking you for FTP details so it can log in as a user who can write. The prompt is a fallback, not a security feature.
Is it safe to type my FTP credentials into that form?
It works for a single action but it is not a long-term fix. Every future update triggers the same prompt, and if the site is compromised those credentials can be scraped from the running PHP session. The right fix is to correct the file ownership so WordPress can write directly. Entering FTP credentials treats the symptom, not the cause.
What does FS_METHOD do and should I set it?
FS_METHOD is a wp-config.php constant that tells WordPress which filesystem method to use. Setting FS_METHOD to 'direct' forces WordPress to write files directly and skip the FTP fallback entirely. It only works if file ownership is correct. If ownership is wrong and you set FS_METHOD to direct anyway, updates will fail silently instead of prompting you.
What file ownership does WordPress actually need?
Every file and folder inside your WordPress root should be owned by the same user that the PHP process runs as. On most cPanel and DirectAdmin hosts that is your account username. On nginx with PHP-FPM it is often www-data or a per-site pool user. Run ls -la in the WordPress root over SSH and every file should show your PHP user in the third column. Anything owned by root, apache, or nobody is the reason WordPress is asking for FTP.
How do I fix ownership without SSH access?
Most shared hosts have a 'Fix File Permissions' or 'Reset Ownership' button somewhere in the control panel. On cPanel it is under Software > File Permissions or in the File Manager as a right-click option. On Plesk it is Websites & Domains > Hosting Settings > File Permissions. If your host does not expose the option, open a support ticket, they can run the fix in under a minute.
Will 777 permissions fix the FTP prompt?
Yes and it will also make your site fail every security audit that exists. 777 means every user on the server can read, write, and execute your files, which is how mass compromise happens on shared hosting. The correct permissions are 755 for folders, 644 for files, 600 for wp-config.php, with ownership set to your PHP user. Never use 777 as a fix.
Why does the prompt only appear after I migrated the site?
Because the migration process created files as a different user than the one PHP runs under. This is the single most common cause I see. Manual copies through FTP as a different account, extract-from-zip-as-root, or restoring a backup with the wrong tool all leave files owned by someone other than the site's PHP user. Reset ownership across the whole document root after any migration and the FTP prompt disappears.
Do managed WordPress hosts have this problem?
Rarely. Kinsta, WP Engine, Pressable, Cloudways and Flywheel all provision the file system with correct ownership from the start and updates go through their own tooling, not the PHP process. If you see the FTP prompt on a managed host, something unusual has happened, usually a manual SSH change or a plugin that wrote files as the wrong user. Contact support before touching anything.

Related Guides