Back to scanner
Temporary SFTP access

Create read-only SFTP access for one scan

SiteVault needs SFTP only for the scan run. The scan is read-only and does not write, edit, or delete server files. Credentials are encrypted for execution and removed after completion, failure, cancellation, or stale scan recovery.

Setup checklist

1

Use a temporary SFTP user instead of your main hosting, administrator, or control-panel account.

2

Limit the user to the WordPress root path where your host allows it.

3

Use the account only for the SiteVault scan run.

4

Use a strong one-time password that is not reused anywhere else.

5

Remove or disable the account after the scan completes, fails, or is cancelled.

6

Do not continue if you cannot identify the correct site directory.

Common WordPress roots

Enter the directory that contains the site's WordPress files, including wp-config.php, wp-admin, wp-content, and wp-includes.

/public_html/home/USERNAME/public_html/home/USERNAME/domains/example.com/public_htmldomains/example.com/public_html

Read-only limits

Some hosts cannot create truly read-only SFTP users. In that case, proceed only if you understand the risk, use a temporary account, and remove or disable it after the scan.

SSH host key fingerprint

Verify the SFTP server before sharing access

The SSH host key fingerprint confirms the scanner is connecting to the expected SFTP server, not an unexpected host. Get the approved fingerprint from your hosting provider whenever possible.

Do not blindly trust an unknown fingerprint. A common format starts withSHA256:followed by the fingerprint value.

ssh-keyscan -p 22 sftp.example.comssh-keyscan -p 65002 sftp.example.com

These commands retrieve the public host key, not the SFTP password. Compare the resulting fingerprint with the provider-approved fingerprint when possible. If the host key changes unexpectedly, the scan should fail; verify the server with your host before retrying.

Before you submit

Confirm the SSH host key fingerprint from your host before entering credentials. Result and PDF URLs are bearer links, so anyone with the link can view the scan output. Treat those links as sensitive and share them only with the incident owner.