How to Create and Manage FTP Accounts in cPanel
Your main cPanel login can do everything on the account — which is exactly why you shouldn't hand it to a developer, a freelancer, or a deployment script that only needs to upload files to one folder. FTP accounts let you create scoped, disposable access instead. Here's how to set one up properly in cPanel, connect to it, and avoid the permission mistakes that trip people up.
What an FTP account actually is
Your cPanel login already has FTP access to the whole account — that's sometimes called the "main" or "anonymous" FTP user. A separate FTP account is a second set of credentials tied to a specific folder inside your home directory. The person or script logging in with it can only see and edit files inside that folder (and its subfolders), nothing else on the account.
This matters for two reasons: it limits the damage if the credentials leak, and it stops a contractor from accidentally touching files outside the project they were hired for.
Step 1: Create the FTP account
- Log in to cPanel and open FTP Accounts (under Files).
- Under Log In, pick a username. cPanel will append your domain automatically, so
editorbecomes something likeeditor@yourdomain.com. - Set a strong password, or click Password Generator and save it somewhere safe — cPanel won't show it again.
- Set the Directory. This is the part people rush through. By default cPanel suggests
/public_html/username, but you can point it anywhere inside your account — for example justpublic_htmlif the user needs access to the whole site, orpublic_html/blogto scope it down to one subfolder. - Set a Quota, or leave it as Unlimited if you don't want to cap storage for that folder.
- Click Create FTP Account.
The account is jailed to the directory you chose — the FTP client will show it as the root (/) when the user connects, and there's no way to navigate up out of it.
Step 2: Get the connection details
Under the same FTP Accounts page, each account has a Configure FTP Client link that gives you the exact host, port, and username to hand off. In general:
| Setting | Value |
|---|---|
| Host | Your domain, or the server's IP/hostname shown in cPanel |
| Username | accountname@yourdomain.com |
| Password | The one you set in Step 1 |
| Port | 21 for FTP/FTPS, 22 if you're using SFTP over SSH instead |
If your hosting has Force FTPS enabled (worth turning on if you have the option), the client needs to connect with explicit TLS on port 21 rather than plain FTP — FileZilla and WinSCP both handle this under an "encryption" or "protocol" dropdown in the site settings.
Connecting with FileZilla
- Open File > Site Manager > New Site.
- Set Protocol to FTP (or SFTP if you're using an SSH-based account), enter the host, and set Encryption to Require explicit FTP over TLS if FTPS is enforced.
- Enter the username and password from Step 1, then click Connect.
If FileZilla can't list the directory after connecting, that's almost always a passive mode or firewall issue, not a problem with the account itself.
Common setup mistakes
| Mistake | What happens | Fix |
|---|---|---|
| Directory left as account root | The FTP user can see and delete every file on the hosting account, including other sites in the same cPanel | Always scope the directory to the specific folder the user actually needs |
| Quota set to a low number "just in case" | Uploads fail partway through with no obvious error in the FTP client | Set Unlimited unless you have a real reason to cap it, and check the quota first if uploads stall |
| Username contains spaces or unusual characters | Some FTP clients mangle the login string, or the connection is refused outright | Stick to lowercase letters, numbers, hyphens, and underscores |
| Password reused from the main cPanel login | If the FTP credentials leak, the attacker effectively has full account access too | Generate a unique password per FTP account |
Changing permissions after the fact
If a folder shows "Permission denied" errors after you create the FTP account, it's usually a file/folder permission mismatch rather than an FTP configuration problem. Standard cPanel permissions are:
- Folders:
755 - Files:
644 - Scripts that must be executable (rare, and usually not needed for plain uploads):
750
You can fix these from File Manager by right-clicking the folder or file and choosing Change Permissions, or recursively over SSH with:
find /home/username/public_html/blog -type d -exec chmod 755 {} \;
find /home/username/public_html/blog -type f -exec chmod 644 {} \;Avoid chmod -R 777 as a shortcut — it makes every file world-writable, which is exactly what malware scanners flag when a site gets compromised.
Deleting or updating an account
Back in FTP Accounts, scroll to Special FTP Accounts to see every account on the domain. From there you can:
- Change Password — rotate credentials without recreating the account
- Change Quota — adjust the storage cap
- Delete — removes the login but leaves the files in place
Delete FTP accounts as soon as a contractor's work is done, the same way you'd revoke a departing employee's key card. Unused accounts sitting around with old passwords are one of the more common ways shared-hosting sites get compromised.
Prevention: keep FTP access tight going forward
- Create a separate FTP account for every person or tool that needs upload access — never share one login among multiple people.
- Scope the directory as narrowly as the job allows.
- Prefer SFTP over plain FTP when your plan supports SSH access — it's encrypted end to end and doesn't have FTP's passive-mode firewall headaches.
- Turn on Force FTPS in cPanel if you must use plain FTP, so credentials aren't sent in the clear.
- Review the FTP Accounts list every few months and delete anything you don't recognize.
A few minutes spent scoping accounts properly up front saves a much worse afternoon later, cleaning up after a leaked password or an accidental delete in the wrong folder.
Frequently asked questions
What's the difference between the main FTP account and a new one I create?
The main account (your cPanel login) has access to every file on the hosting account. A new FTP account you create is jailed to whichever directory you assign it, so it can't see or modify anything outside that folder.
Should I use FTP, FTPS, or SFTP?
SFTP (port 22, over SSH) is the most secure and is available if your hosting plan includes SSH access. If you only have plain cPanel hosting, use FTPS (FTP over TLS) rather than plain FTP so your password isn't sent unencrypted.
Why does the FTP account show the wrong folder as the root directory?
cPanel jails the account to whatever directory you set when creating it, and displays that folder as '/' in the FTP client. If it's wrong, edit the account in FTP Accounts and update the directory, or delete and recreate it with the correct path.
Can I limit an FTP account to read-only access?
cPanel's FTP Accounts tool doesn't have a built-in read-only toggle. For read-only access you'd need to set restrictive file permissions on the target directory, or use a different protocol like SFTP with a chrooted SSH key that has limited write permissions, which typically requires WHM/root access.
Is it safe to leave quota set to Unlimited?
Yes, as long as your hosting plan has its own overall disk quota. Unlimited on the FTP account just means that specific login isn't individually capped below your account's total allowance.