How do I secure my connection to WordPress?

Mac
1

I’m having trouble creating a secure connection to my WordPress site after making some recent changes, and now I’m worried my login and site data may not be fully protected. I need help figuring out what went wrong and how to properly set up SSL, HTTPS, and other WordPress security settings so my website stays safe.

2

I learned this the hard way on an early WordPress install. If you log in or move files over a weak connection, you are handing over your keys and hoping nobody notices. I stopped treating server access like a small detail after I saw how easy it is to leave a site exposed.

Safer ways to connect to WordPress

For the dashboard, HTTPS is the baseline. Your browser and the server talk over an encrypted connection, so login details are far less exposed while you sign in. If your admin page still loads without HTTPS, I would fix tht first.

For file access, the choices are not equal.

  1. FTP (File Transfer Protocol). Old, common, and weak. It sends credentials in plain text. I avoid it unless a host gives me no other route and I am forced into a short-term fix.
  2. SFTP (SSH File Transfer Protocol). This is the one I pick first. It runs through SSH, so file transfers and login details are encrypted. If your host supports it, use it and move on.
  3. SSH (Secure Shell). Direct shell access. Faster for people who work in Terminal and know the commands they are typing. I use it for edits, permissions, logs, and cleanup jobs when a file app feels slow.

FTP clients I ended up comparing

You still need an app to connect with SFTP or FTP. I tried a few, and they all have their own weird spots.

1. FileZilla

FileZilla shows up in almost every thread for a reason. Free, cross-platform, easy enough to set up. If you need something now, it gets you connected fast. My issue came later. On large jobs, stuff like full backups or giant plugin folders, it started dragging. The slowdown was noticeable, not subtle.

2. Commander One

On macOS, Commander One felt more tuned for heavier use. It is paid, yes, but I get why. It handles FTP and SFTP cleanly, and the archive support saves time. I liked being able to compress files and push them up without juggling extra apps. If you deal with repeated deploys, this part matters more than people admit.

3. Cyberduck

Cyberduck gets recommended a lot because it is free and open source. The interface is cleaner than some older clients, and it connects to more than plain web servers. My snag with it was reliability during simple tasks. Renaming, moving folders, small routine stuff, sometimes it felt a bit off. Not broken all the time, still annoying when you are mid-task.

4. CloudMounter

CloudMounter takes a different route. On Windows and Mac, it mounts the remote server like a local drive. I get why beginners like it. You open Finder or File Explorer and work with files the same way you do anywhere else. No separate panel to learn, no clunky transfer window staring at you. For basic site edits, it feels less intimidating.

If you are picking one setup and want fewer mistakes, I would keep it simple. Use HTTPS for wp-admin. Use SFTP for file transfers. Use SSH when you need direct server control. FTP is the one I leave behind first.

2 Likes
3

What usually breaks after recent changes is not WordPress itself. It is the SSL setup, URL settings, or mixed content.

Start with 4 checks.

  1. Confirm your site URLs.
    In wp-admin, Settings, General, both WordPress Address and Site Address should use https://
    If wp-admin is locked out, check wp-config.php or your database values for home and siteurl.

  2. Force admin over SSL.
    Add this to wp-config.php:
    define(‘FORCE_SSL_ADMIN’, true);

If you run a proxy or CDN like Cloudflare, wrong proxy headers often cause login loops. I disagree a bit with @mikeappsreviewer on one point, HTTPS is baseline, yes, but if the server thinks traffic is plain HTTP behind a proxy, WordPress still acts broken. Check your host or proxy SSL mode first.

  1. Test your certificate.
    Use SSL Labs. If the cert is expired, mismatched, or missing the full chain, browsers throw warnings. That is often why the “secure connection” fails after a host or DNS change.

  2. Fix mixed content.
    If pages load over HTTPS but images, scripts, or themes load over HTTP, your padlock breaks. Run a search-replace for old http:// URLs in the database. Better Search Replace is fine for this.

For file access, skip plain FTP. Use SFTP or SSH keys. If you want a cleaner file workflow on Mac, Commander One is solid for WordPress file access over SFTP. Less clutter, fewer dumb mistakes.

Also do these right now.
Change your WP admin password.
Change hosting and database passwords.
Enable 2FA.
Check .htaccess for odd redirects.
Review users list for accounts you do not recoginze.

If you post the exact error, like ERR_SSL_PROTOCOL_ERROR or too many redirects, people here can narrow it down fast.

4

I’d add one thing neither @mikeappsreviewer nor @viaggiatoresolare really leaned on enough: check the server time and your local DNS/cache situation. Sounds boring, but bad system time can break SSL validation, and stale DNS after a host/CDN change can make you think the cert or redirect setup is wrong when you’re just hitting the old endpoint. Seen that more than once.

What I’d do in order:

  1. Verify the cert on the server actually matches the current domain, including www vs non-www.
  2. Clear server/page cache, CDN cache, browser cache, and flush local DNS.
  3. Check if HSTS was enabled before the change. If it was, browsers can get stubborn fast.
  4. Look at your web server config directly:
    • Apache: vhost + rewrite rules
    • Nginx: server blocks + proxy headers
  5. Make sure permissions didn’t get weird after your edits. Broken ownership can stop renewals or config loads.

Also, if you changed hosts recently, make sure auto-renew for Let’s Encrypt is still working. A lot of people fix SSL once and then just kinda hope for the best.

For access, I actually disagree slightly with the “just use SSH” crowd. If you’re not comfortable in shell, it’s easy to do more damage faster. SFTP is usually the safer practical move. On Mac, Commander One is pretty handy for secure WordPress file access over SFTP because it keeps things simple and reduces those dumb drag-and-drop mistakes. Not magic, just less anoying.

If you think login data may have been exposed, rotate everything now:

  • WP password
  • hosting panel password
  • SFTP/SSH creds
  • database password
  • API keys/salts in wp-config.php

And check access logs. That part matters way more than people think. Logs usually tell the truth when WordPress just says “secure connection failed” in a vague, useless way.