Every hosting control panel gives you a dashboard full of buttons, file managers, and one-click installers. They’re convenient for common tasks. But there’s a ceiling — and once you hit it, the only way through is the command line.

SSH (Secure Shell) is a protocol that lets you open a direct, encrypted terminal session to your server from your own computer. With it, you can do in seconds what would take minutes in a control panel — or do things the control panel simply can’t do at all. Move ten thousand files, run database migrations, manage cron jobs, install WP-CLI, debug errors in real time, restart services, and transfer files securely between servers.

This guide covers SSH completely — what it is, how it works, how to connect from any operating system, the commands you’ll actually use, and how to stay secure while doing it. Whether you’ve never opened a terminal or you’re comfortable with the basics and want to go deeper, this guide has you covered.

1. What SSH Is

SSH stands for Secure Shell. It’s a network protocol that creates an encrypted connection between your local computer (the client) and a remote server. Once connected, you get a command-line interface directly on that server — as if you were sitting in front of it in the data centre.

Everything you type in an SSH session is transmitted encrypted. Everything the server sends back is encrypted. Nobody between you and the server — not your ISP, not a malicious actor on a shared network — can read the session contents. This is SSH’s core advantage over older remote access protocols like Telnet, which transmitted everything in plain text.

SSH was designed in 1995 as a secure replacement for Telnet and rsh. It’s now the universal standard for remote server management across the internet. Almost every web server, VPS, cloud instance, and dedicated server in the world runs an SSH daemon and accepts SSH connections.

2. How SSH Works

Understanding the mechanics of SSH gives you a clearer mental model for troubleshooting connection issues and configuring security correctly.

The SSH Handshake

When you run ssh [email protected], the following happens in under a second:

1. TCP connection: Your client connects to the server on port 22 (or a custom port if configured)
2. Protocol negotiation: Client and server agree on the SSH version and supported encryption algorithms
3. Server authentication: The server sends its host key — a unique fingerprint. Your client checks this against known hosts. The first time you connect, you’re asked to verify and accept it. On subsequent connections, a mismatch triggers a warning (which means either the server changed or something suspicious is happening)
4. Client authentication: You prove you’re allowed to log in — either by entering a password or by presenting a cryptographic key pair (more secure)
5. Session established: An encrypted channel opens and you get a shell prompt on the remote server

Port 22 and Custom Ports

SSH listens on port 22 by default. Security-conscious administrators often move it to a non-standard port (like 2222 or 2200) to reduce exposure to automated scanners that constantly probe port 22. If your host uses a non-standard SSH port, they’ll tell you — you specify it with the -p flag: ssh -p 2222 [email protected].

3. SSH vs. FTP: Why SSH Wins

FTP (File Transfer Protocol) used to be the standard way to upload files to a web server. Many hosting beginners still use it. SSH is strictly superior in almost every dimension.

4. What You Can Do with SSH

SSH unlocks a fundamentally different level of server access. Here are the most practical capabilities it gives you in a hosting context.

5. Does Your Host Support SSH?

SSH availability depends heavily on your hosting type. Here’s what to expect across each tier.

How to Enable SSH on Shared Hosting

If your shared host supports SSH but it isn’t enabled by default, you typically enable it through your hosting control panel:

• cPanel: Look for “SSH Access” or “Manage Shell Access” under the Security section. Toggle “Shell Access” to enabled. Your SSH username and password are usually the same as your cPanel credentials.
• SiteGround Site Tools: Devs → SSH Keys — you generate and upload an SSH key here rather than using password authentication.
• Hostinger hPanel: Advanced → SSH Access — toggle to enable and note your SSH port (often non-standard on shared hosting).

6. Connecting via SSH: Mac & Linux

Mac and Linux include a full SSH client built in. Open Terminal (Mac: Applications → Utilities → Terminal; Linux: your distribution’s terminal emulator) and you’re ready.

Basic Connection Command

First Connection: Accepting the Host Key

The first time you connect to a server, you’ll see a message like this:

Type yes and press Enter. The server’s fingerprint is saved to ~/.ssh/known_hosts on your machine. On future connections, SSH automatically verifies this fingerprint — if it changes unexpectedly, SSH will warn you, which is an important security signal.

Successful Connection

Using SSH Config for Shortcuts

If you connect to the same server regularly, create an SSH config file to save typing:

With this saved, connecting becomes simply:

7. Connecting via SSH: Windows

Windows 10 and Windows 11 include a built-in OpenSSH client — no software installation required.

Using Windows PowerShell or Command Prompt (Built-in)

Open PowerShell or Command Prompt and use the same ssh syntax as Mac and Linux:

If the built-in SSH client isn’t available (older Windows 10 builds), enable it via: Settings → Apps → Optional Features → Add a Feature → OpenSSH Client.

Using PuTTY (Popular GUI Alternative)

PuTTY is a free, widely used SSH client for Windows with a graphical interface. Download it from putty.org.

1. Open PuTTY
2. In “Host Name (or IP address)”, enter your domain or server IP
3. Set “Port” to 22 (or your host’s custom SSH port)
4. Connection type: SSH
5. Click “Open”
6. Accept the host key fingerprint on first connection
7. Enter your username and password when prompted

8. SSH Key Authentication

Password authentication for SSH is convenient but has real weaknesses — passwords can be brute-forced, phished, or intercepted. SSH key authentication is more secure, more convenient once set up, and the standard approach for cloud servers and managed hosting providers.

How Key Authentication Works

SSH key authentication uses a matched pair of cryptographic keys:

• Private key — stays on your computer only. Never shared, never transmitted. Treat this like a physical house key.
• Public key — placed on the server in ~/.ssh/authorized_keys. The server uses this to verify that you hold the matching private key. It’s safe to share — it’s mathematically useless without the private key.

When you connect, the server sends a challenge encrypted with your public key. Your SSH client decrypts it using your private key and sends back the proof. No password ever crosses the network.

Generating an SSH Key Pair

This creates two files: id_ed25519 (private key — guard carefully) and id_ed25519.pub (public key — safe to share).

Copying Your Public Key to the Server

If ssh-copy-id isn’t available (Windows, or manual setup), copy the public key content manually:

Shared Hosting: Uploading Keys via Control Panel

On shared hosting with cPanel, go to Security → SSH Access → Manage SSH Keys → Import Key. Paste the contents of your .pub file and click Import. Then authorize the key. Your host handles the authorized_keys setup automatically.

9. Essential SSH Commands

These are the commands you’ll actually reach for in a hosting context. Each one is immediately practical.

Navigation & File Management

Permissions

Archives

Database Operations

Viewing & Searching Files

Secure File Transfer: SCP & rsync

10. WP-CLI: SSH for WordPress

WP-CLI is the command-line interface for WordPress. If you run WordPress and have SSH access, WP-CLI is one of the most powerful tools available to you — it turns time-consuming dashboard tasks into single commands.

Installing WP-CLI

Many managed WordPress hosts (Kinsta, WP Engine, SiteGround) pre-install WP-CLI — just type wp --info to check if it’s already available.

Essential WP-CLI Commands

11. SSH Security Best Practices

SSH is inherently secure, but misconfiguration can undermine that security. These practices apply to VPS and dedicated server owners who manage their own SSH daemon. Shared hosting users have less control but should still follow the client-side practices.

Client-Side Best Practices (Everyone)

• Use key-based authentication, not passwords. An SSH key is mathematically stronger than any password and can’t be phished. Once key auth is set up, disable password auth on the server if you have that level of access.
• Protect your private key with a passphrase. If your computer is stolen, a passphrase-protected private key is useless to the thief. Use ssh-agent to avoid re-entering the passphrase constantly during a session.
• Never share your private key. If multiple people need access to a server, each person generates their own key pair and their public key is added to authorized_keys separately.
• Verify host fingerprints on first connection. When connecting to a new server, ask your host or check their dashboard for the expected fingerprint. A mismatch on a subsequent connection is a serious security warning — don’t ignore it.

Server-Side Best Practices (VPS / Dedicated)

• Disable root login over SSH. Set PermitRootLogin no in /etc/ssh/sshd_config. Log in as a regular user and use sudo for privileged commands.
• Disable password authentication. Once key auth is working, set PasswordAuthentication no. This eliminates brute-force password attacks entirely.
• Change the default SSH port. Moving from port 22 to a non-standard port (2222, 2200, etc.) eliminates the bulk of automated scanning noise. Not a security measure against a targeted attacker, but it dramatically reduces log clutter and opportunistic probing.
• Use fail2ban. This tool monitors SSH logs and automatically bans IP addresses after repeated failed login attempts — an effective defence against brute-force attacks.
• Restrict access by IP. If your office or home IP is static, configure your firewall (iptables, ufw, or your cloud provider’s security groups) to only allow SSH connections from known IP addresses.
• Keep OpenSSH updated. Vulnerabilities in SSH server software are rare but serious. Keep the openssh-server package updated as part of your regular patching routine.

12. SSH Quick Reference

A condensed reference for everything covered in this guide.

Connection Commands

Getting Started Checklist

• Confirm your hosting plan includes SSH access — check your control panel or contact support
• Find your SSH hostname, username, and port in your hosting dashboard
• Enable SSH access in your control panel if required (cPanel: Security → SSH Access)
• Generate an SSH key pair with ssh-keygen -t ed25519 on your local machine
• Upload your public key to the server via your control panel or ssh-copy-id
• Connect with ssh [email protected] and verify you reach a shell prompt
• Save your connection details to ~/.ssh/config for a quick alias
• Check if WP-CLI is available: run wp --info from your site’s root directory
• If on a VPS, disable password auth and root login once key auth is confirmed working