Managing Your Site Files: File Manager, FTP & .htaccess

You can manage your website files two ways: the File Manager inside your hosting control panel (quick and browser-based) or an FTP/SFTP desktop app for larger jobs. The .htaccess file is a small settings file that controls redirects, security, and caching on Apache servers.

Key takeaways

  • Two doors to your files: File Manager needs no software; FTP/SFTP is better when you move lots of files.
  • Always prefer SFTP over plain FTP. SFTP encrypts your login and files; plain FTP sends them in the open.
  • Your public files live in the web root — usually a folder named public_html.
  • .htaccess is a per-folder Apache settings file for redirects, HTTPS, access rules, and caching. It is Apache-only.
  • Back up .htaccess before you edit it. One wrong line can take your whole site down with a 500 error.

The two ways to reach your website files

Every website is really just a set of files and folders sitting on a server. To add a photo, edit a page, or fix a setting, you first need to open those files. There are two common ways to do that, and most site owners use both depending on the job.

1. The hosting File Manager. A File Manager is a file browser built into your hosting control panel, such as cPanel or hPanel. You open it in your web browser, log in once, and you can see your folders, upload files, and edit text right on screen. There is nothing to install, so it is the fastest way to make a quick change. If you are new to control panels, our guide to hosting control panels shows where the File Manager lives and how to open it.

2. FTP or SFTP with a desktop client. FTP (File Transfer Protocol) is a standard way to move files between your computer and your server. You use a small desktop app called an FTP client — free options include FileZilla and Cyberduck — to connect and drag files across. This is the better choice when you need to upload a whole theme, download a backup, or move hundreds of files at once, because it handles large batches far more smoothly than a browser.

Which should you use? For a one-off edit, open the File Manager. For bulk uploads, downloads, or repeated work, use an FTP client. When you do connect over FTP, always choose SFTP (the secure version) rather than plain FTP. More on that difference below.

How to connect to your site with SFTP

Connecting takes about two minutes once you know where your details live. These steps use FileZilla as the example client, but every FTP client asks for the same four things: a host address, a username, a password, and a port. Follow them in order.

  1. Get your FTP/SFTP details from your host's panel. Log in to your control panel and find the FTP or SFTP accounts section. Note four values: the host (server address), your username, your password, and the port — use 21 for plain FTP or 22 for SFTP.
  2. Open your FTP client. Launch FileZilla (or Cyberduck, or another client you have installed).
  3. Enter the host, username, password, and port. Type your host address, your username, and password, then set the port to 22 and choose SFTP so the connection is encrypted.
  4. Connect, and your server's folders appear. Click Connect. On the right side of the window you will see the folders that live on your server.
  5. Open your web root. Navigate to your web root folder — on most hosts this is named public_html. Everything inside it is what visitors can see.
Tip: If the connection fails, double-check the port (22 for SFTP) and confirm you picked SFTP, not FTP, in the client. A wrong port is the most common reason a connection is refused.

Key folders and common file tasks

Once you are connected, a few folders matter more than the rest. Knowing what they hold saves you from editing the wrong thing.

The web root (public_html). This is the public home of your site. Any file you place here can be reached by visitors through your domain. If you are unsure where to upload something so it appears on your live site, this is almost always the answer.

The wp-content folder (WordPress sites). If you run WordPress, the wp-content folder holds the parts you actually change: your themes, your plugins, and your uploads (every image and media file you have added). Setting up WordPress for the first time? Our walkthrough on how to install WordPress covers the full setup.

Here are the everyday tasks you will do most often, whether in the File Manager or an FTP client:

  • Upload a file: drag it from your computer into the folder (or use the Upload button in the File Manager).
  • Download a file: drag it from the server to your computer to keep a copy or work on it offline.
  • Edit a file: right-click a text file (like a theme file or .htaccess) and choose Edit or View to open it.
  • Set file permissions: permissions decide who can read, write, or run a file. The safe defaults are 755 for folders and 644 for files.
Never set permissions to 777. That gives everyone — including attackers — full control to read, change, and run your files. It is a common cause of hacked sites. Stick to 755 for folders and 644 for files unless your host's documentation tells you otherwise.

What the .htaccess file is

.htaccess is a small text file that gives instructions to an Apache web server about the folder it sits in. The name starts with a dot, which is why it can look hidden in your File Manager until you turn on "show hidden files." Despite its size, it controls some of the most important behaviour on your site:

  • Redirects: send visitors from an old address to a new one.
  • URL rewrites: turn messy links into clean, readable ones (this is what makes WordPress "pretty permalinks" work).
  • Access rules: allow or block visitors, and protect sensitive files.
  • Caching: tell browsers to store files locally so pages load faster on repeat visits.

Because it is a per-directory file, an .htaccess in one folder only affects that folder and the folders inside it. Most sites keep their main one in the web root (public_html).

Apache only. The .htaccess file works on Apache servers. If your host runs Nginx instead, it uses a different configuration system and ignores .htaccess entirely, so the snippets below will not apply. Not sure which one you have? Ask your host, or check your control panel's server details.

Useful, safe .htaccess snippets

Below are common, low-risk rules you can add to your .htaccess file. Each one has a short note on what it does. Add them between the existing lines, not inside the WordPress block (the part marked # BEGIN WordPress).

Force HTTPS — sends every visitor to the secure https:// version of your site.

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Redirect non-www to www — picks one version of your domain so search engines do not see two. (Swap the rule if you prefer non-www instead.)

RewriteEngine On RewriteCond %{HTTP_HOST} ^example\.com [NC] RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

Set a custom error page — shows your own friendly page instead of a plain server error.

ErrorDocument 404 /404.html ErrorDocument 500 /500.html

Block access to a sensitive file — stops visitors opening files like wp-config.php, which holds your database password.

<Files wp-config.php> Require all denied </Files>

Basic browser caching — tells browsers to keep images and scripts for a while so return visits load faster.

<IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType text/css "access plus 1 week" ExpiresByType application/javascript "access plus 1 week" </IfModule>
Back up .htaccess before you touch it. A single bad line causes a site-wide 500 Internal Server Error that takes down every page at once. Before editing, download a copy of the current file, or edit a copy first and only replace the live one when it works. Our website backups guide walks through saving a restore point in a couple of minutes.

Common file and .htaccess problems

When file changes go wrong, they usually show up as one of two errors. Both are fixable, and both point straight back to your files.

A 500 Internal Server Error. This is the classic sign of a broken .htaccess file. One misspelled directive or a rule your server does not support can bring down the whole site. The quickest test is to rename .htaccess to .htaccess-old and reload your site; if it comes back, the file was the cause. Our step-by-step guide to fixing a 500 Internal Server Error covers this in full.

A 403 Forbidden error. This means the server is refusing to show a file. It is usually caused by wrong file permissions (for example, a folder that should be 755 set to something restrictive) or an access rule in .htaccess that blocks too much. See how to fix 403 and 404 errors for the exact checks.

Common mistakes to avoid

Editing .htaccess without a backup is the mistake that costs the most. Because a bad line takes the whole site offline, always save a copy first — it turns a scary outage into a ten-second undo.

Watch out for these four slip-ups, which cause most file-management headaches for beginners:

  • Using plain FTP instead of SFTP. Plain FTP sends your password and files unencrypted, where they can be intercepted. Choose SFTP on port 22 every time.
  • Setting 777 permissions. It "fixes" a permission error by opening your files to everyone. Use 755 for folders and 644 for files instead.
  • Editing .htaccess with no backup. Download the current file first, or edit a copy and swap it in once it works.
  • Uploading to the wrong folder. Files meant to be public must go inside your web root (public_html). Uploading a level too high means visitors never see them.

Frequently asked questions

How do I access my website's files?

You have two options. The quickest is the File Manager inside your hosting control panel — open it in your browser, and you can view, upload, and edit files with no software to install. For bigger jobs, connect with an FTP client such as FileZilla or Cyberduck using the SFTP details from your host's panel. Both open the same files; the File Manager is faster for one change, while an FTP client handles bulk uploads better.

What's the difference between FTP and SFTP?

Both move files between your computer and your server, but SFTP (Secure File Transfer Protocol) encrypts the connection, so your username, password, and files travel scrambled and cannot be read if intercepted. Plain FTP sends everything in the open. Because SFTP protects your login for no extra effort, choose it whenever your host offers it — which is almost always.

What port does SFTP use?

SFTP uses port 22. Plain FTP uses port 21. When you set up a connection in your FTP client, enter 22 and select SFTP for a secure link. A wrong port number is the most common reason a connection is refused, so it is the first thing to check if you cannot connect.

What is the .htaccess file?

.htaccess is a small configuration file that tells an Apache web server how to behave in the folder where it sits. It handles redirects, URL rewrites, access rules, and caching. It works per-folder, so the one in your web root controls your main site. Note that it only works on Apache servers — Nginx uses a different system and ignores it.

Why did editing .htaccess break my site?

Almost always because of a single invalid line. Apache reads .htaccess on every request, so one typo or an unsupported directive stops the whole site and shows a 500 Internal Server Error. To recover, rename the file to .htaccess-old (or restore your backup) and reload the site — it should come straight back. Then correct the line and add it again carefully. This is exactly why you back up the file before editing.

Where is my web root folder?

On most hosts the web root is a folder named public_html, found at the top level once you connect over SFTP or open the File Manager. Everything inside it is public and served through your domain. Some hosts name it www or htdocs instead, but the role is the same: it is the folder your live site is served from.

Is the File Manager safe to use for editing files?

Yes. The File Manager runs over your control panel's secure login, so it is a safe way to view and edit files. The same rule still applies as with FTP: before you change an important file like .htaccess or wp-config.php, make a copy first. The File Manager makes that easy — right-click the file and choose Copy or Download before you edit.

Summary

Managing your site files comes down to a few habits. Reach your files through the browser-based File Manager for quick edits, or an SFTP client on port 22 for larger jobs — and always pick SFTP over plain FTP. Keep your public files in the web root (public_html), set folders to 755 and files to 644, and never use 777. Treat .htaccess with respect: it is powerful, Apache-only, and one bad line can take the site down, so back it up before every edit. The single best habit to build next is a reliable safety net — read our website backups guide so any file change is always one restore away from being undone.

References

  • Apache HTTP Server Project — Apache HTTP Server Tutorial: .htaccess files, official documentation.
  • Apache HTTP Server Project — mod_rewrite and mod_expires module documentation.
  • WordPress.org — Changing File Permissions and Hardening WordPress, official developer documentation.
  • IETF — SSH File Transfer Protocol (SFTP), protocol reference.
Bitrich777 Hosting Team
About the author

The editorial team behind the Bitrich777 Hosting Help Center — practical, tested guides on web hosting, WordPress, servers, DNS, SSL, email, security and migration. Every walkthrough is reproduced on a live host before it is published.

Spotted an error? Tell us