How do I update WordPress using FTP on my Mac

Mac
1

I’m trying to manually update my WordPress site using FTP on my Mac because the one-click update in the dashboard keeps failing with timeout errors. I’m not totally sure which core files and folders I should replace, what I need to back up first, or how to avoid breaking my theme and plugins. Can someone walk me through the correct, safe steps for updating WordPress via FTP on macOS, including any recommended FTP client settings and common mistakes to avoid?

2

Updating WordPress Manually With FTP on a Mac (Real-World Walkthrough)

I used to rely completely on the built‑in “Update now” button in WordPress until one of my sites froze on a white screen and refused to load. Host support told me to “update manually via FTP” like that was something everyone just does before breakfast.

If you’re on a Mac and in the same boat, here’s the cleaned‑up version of what actually works for a simple, safe manual core update.

1. Grab the newest WordPress download

  1. Go to https://wordpress.org.
  2. Download the latest WordPress ZIP file.
  3. Once it finishes, double‑click the ZIP so it unpacks into a folder called wordpress on your Mac (usually in Downloads).

You should now see a folder that has stuff like:

  • wp-admin
  • wp-includes
  • a bunch of .php files in the root
  • a wp-content folder

That last one is the important bit for the next step.

2. Delete the local wp-content folder

Inside that new wordpress folder you just unzipped:

  1. Find the wp-content folder.
  2. Delete it from the local copy.

Why? Because on your server, wp-content is where your themes, plugins, and uploaded files live. Replacing it with the “empty default” from the download would be like installing a fresh WordPress on top of your existing one and wiping your customizations.

So the rule is: update core files only, leave your own stuff alone.

3. Connect to your site via FTP

You’ll need an FTP client. On Mac, common ones are:

  • Cyberduck
  • FileZilla
  • Transmit
  • Or whatever you already have installed

Open your FTP app and:

  1. Put in your FTP or SFTP login details (host, username, password, port).
  2. Connect to your server.

If you don’t know the credentials, check your hosting panel or ask support. Most shared hosts give you at least one FTP or SFTP account.

4. Find your WordPress install on the server

Once connected, browse the server’s folders. Usually your WordPress site is in one of these:

  • public_html
  • htdocs
  • /var/www/ (on VPS setups)
  • Or just the root of your user’s web directory

You’ll know you’re in the right place when you see:

  • wp-admin/
  • wp-includes/
  • wp-content/
  • Files like wp-config.php, index.php, etc.

That directory is what you’re going to update.

5. Upload the new WordPress files (minus wp-content)

On the left (or local) side of your FTP client:

  1. Open the wordpress folder you unzipped earlier.
  2. Select everything except wp-content.

Then:

  1. Drag or upload those selected files and folders into your site’s main WordPress folder on the server (the one with wp-admin, wp-includes, etc.).
  2. When your FTP client asks what to do with files that already exist on the server, choose Overwrite (and apply to all).

This replaces the core WordPress files with fresh ones, while leaving your existing wp-content folder (themes, plugins, uploads) completely untouched.

6. Wrap it up in the dashboard

When the upload finishes:

  1. Go to your site’s WordPress admin URL in your browser, usually https://yourdomain.com/wp-admin/.
  2. If WordPress needs to tweak the database for this version, it will show a screen asking you to run the database update. Click the button and let it complete.

If that page loads fine and there are no weird errors, you’re done. The basic pattern is:

Download → remove wp-content locally → upload everything else → overwrite → check dashboard

That’s literally the whole manual update process.

Updating WordPress With Commander One on a Mac

If you prefer something that feels more “Finder‑like” and less like an old‑school FTP app, Commander One on macOS is pretty comfortable, especially because of the dual‑pane layout.

Link for it:

Here’s how the update flow looks in that app.

1. Open Commander One and connect to your server

  1. Launch Commander One.
  2. Use the top toolbar to create a new FTP or SFTP connection.
  3. After you connect, set one pane to show your remote site. Navigate until you see your WordPress install (again, you’re looking for wp-admin, wp-includes, wp-content, etc.).

Now one side is your server. Time to prep the local side.

2. Load the new WordPress files locally

In the other pane:

  1. Open the folder where you unzipped the latest WordPress download from wordpress.org.
  2. Just like before, delete the wp-content folder from that local copy.
  3. Double‑check it is gone locally so you don’t drag it up by habit.

So you should now have:

  • Left pane: server with your live WordPress site.
  • Right pane: local extracted WordPress folder with no wp-content.

3. Drag and overwrite

On the pane that has the local WordPress folder:

  1. Select everything except wp-content (which you already deleted).
  2. Drag those selected items into the pane that shows your server’s WordPress directory (the one that has your live wp-admin, wp-includes, etc.).

Commander One will pop up a dialog when it hits existing files.

  • Choose to Overwrite matching files.
  • Apply to all so you don’t have to confirm every single file.

Commander One will handle the transfers and replacements in the background.

4. Confirm via WordPress admin

Once Commander One finishes:

  1. Open your WordPress dashboard in a browser: https://yourdomain.com/wp-admin/.
  2. If there is any required database update for that version, WordPress will show you a prompt. Click through and let it run.

If the dashboard loads and you can move around normally, the update worked.

A lot of Mac users like this method because you see local and remote folders side by side and basically treat the server like another Finder window. No hunting around for “local site” vs “remote site” tabs, just drag from one pane to the other and confirm overwrites.

4 Likes
3

Short version: the idea from @mikeappsreviewer is right (replace core, skip your data), but I’d tweak the “delete wp-content” part and add some safety nets.

1. Before you touch FTP

  1. Backup first

    • Database: use your host’s phpMyAdmin or a plugin that still works long enough to export the DB.
    • Files: at minimum download:
      • wp-content
      • wp-config.php

  2. Put site in maintenance (optional but smart)

    • Create a file called .maintenance in the WordPress root with:
      <?php $upgrading = time(); ?>
    • This avoids people hitting the site mid‑update and seeing random errors.

2. What to actually overwrite

This is the part you were unsure about, so here’s the exact list:

Replace with new version (overwrite):

  • Entire wp-admin folder
  • Entire wp-includes folder
  • Root files like:
    • index.php
    • wp-activate.php
    • wp-blog-header.php
    • wp-comments-post.php
    • wp-cron.php
    • wp-links-opml.php
    • wp-load.php
    • wp-login.php
    • wp-mail.php
    • wp-settings.php
    • wp-signup.php
    • wp-trackback.php
    • xmlrpc.php
    • license.txt, readme.html (not essential, but fine)

Do not overwrite:

  • wp-content/ (this is your themes, plugins, uploads)
  • wp-config.php
  • Any custom files your host added in root (things like php.ini, .user.ini, web.config, etc.)

Where I disagree slightly with @mikeappsreviewer:
You don’t strictly need to delete the local wp-content folder. You can just be disciplined and don’t upload it. Personally I keep it and just uncheck/skip it in the FTP client, so I can compare default files later if something breaks.

3. FTP workflow on Mac (alt approach)

If you hate classic FTP windows, Commander One on macOS is a nice “dual pane” option:

  1. Left pane: connect via FTP/SFTP to your server, go to your WordPress root.
  2. Right pane: open the unzipped wordpress folder from wordpress.org.
  3. In the right pane:
    • Select:
      • wp-admin
      • wp-includes
      • All core .php files in the root of that folder
    • Explicitly do not select wp-content.
  4. Drag the selection from right → left.
  5. When asked:
    • Action: Overwrite
    • Apply to all

This is the same principle as what was already described, just more visual and a little harder to screw up if you’re nervous.

4. Clean up and finish

  1. Delete the .maintenance file if you created it.
  2. Go to /wp-admin/ in your browser.
  3. If you see a “Database Update Required” screen, click the button.
  4. Check:
    • Front page loads
    • Login works
    • A couple key plugins still behave

5. If it white screens or dies

If it all goes sideways:

  1. Re-upload your backup of:
    • wp-admin
    • wp-includes
    • Core root files
  2. Restore the DB backup.
  3. Confirm file permissions:
    • Typically 755 for folders, 644 for files.

So: yes, you update via FTP by overwriting wp-admin, wp-includes, and core root PHP files, while leaving wp-content and wp-config.php alone. Use Commander One if you want a more Finder-like interface, and always have a backup before you start playing sysadmin at 2 a.m.

4

The other replies already nailed the how, so I’ll focus on what to replace, what not to touch, and a couple of ways to avoid bricking the site mid‑upload.

You’re on the right track: you only want to refresh WordPress core, not your content.

1. Files/folders you do replace

From the fresh WordPress download:

Upload & overwrite entirely:

  • wp-admin/
  • wp-includes/

Upload & overwrite these root files if they exist in the download:

  • index.php
  • wp-activate.php
  • wp-blog-header.php
  • wp-comments-post.php
  • wp-cron.php
  • wp-links-opml.php
  • wp-load.php
  • wp-login.php
  • wp-mail.php
  • wp-settings.php
  • wp-signup.php
  • wp-trackback.php
  • xmlrpc.php
  • You can also overwrite license.txt and readme.html, they don’t affect functionality

That’s the core update in practice.

2. Files/folders you do not overwrite

This is where people usually panic in FTP and nuke their own site.

Do NOT overwrite:

  • wp-content/
    • Contains themes/, plugins/, uploads/, sometimes mu-plugins/
  • wp-config.php
  • Any host‑specific stuff in the root:
    • .htaccess
    • .user.ini
    • php.ini
    • web.config
    • Custom backup or cache files the host dropped in there

Where I slightly disagree with @mikeappsreviewer: you don’t have to delete the local wp-content to be safe. It’s totally fine to keep it in the extracted folder and just don’t drag it during upload. That way if something goes weird later, you can compare default files to your live install.

@vrijheidsvogel is closer to how I actually do it: strict about what to copy, but I don’t bother with deleting the local stuff. I just train myself not to drag the wrong thing. Mildly risky if you’re tired, sure, but not rocket science.

3. Extra safety tricks that help when one‑click update times out

Timeouts often mean:

  • Slow server or strict resource limits
  • Big plugins/themes
  • Old PHP version

A couple things that make manual updates less scary:

  1. Backup bare minimum first

    • Download wp-content/
    • Download wp-config.php
    • Export DB via phpMyAdmin or a backup tool if it still loads
      If something breaks, you can at least roll back.

  2. Maintenance mode without plugins

    • In your WordPress root, temporarily create .maintenance with:
      <?php $upgrading = time(); ?>
    • WordPress will show a maintenance screen instead of weird half‑updated errors.
    • Remove this file when you’re done.

  3. Upload in this order

    • Upload wp-includes/ first
    • Then wp-admin/
    • Then the root PHP files
      It’s not absolutely required, but it tends to reduce strange partial‑update behavior.

4. Mac‑specific angle: make your life less annoying

You can use Cyberduck or FileZilla, sure, but if you want something that feels more like Finder, Commander One is actually nice for this specific job:

  • Dual‑pane view
  • One pane = your Mac folder with the new WordPress files
  • Other pane = your server’s WordPress directory
  • Select wp-admin, wp-includes and the core PHP files on the local side
  • Drag them straight over to the server side and choose “Overwrite for all”

That visual side‑by‑side makes it a lot harder to accidentally upload wp-content, which is the main way people blow up their themes and plugins.

5. After the FTP part

Once the upload is done:

  1. Delete .maintenance if you created it
  2. Go to https://yourdomain.com/wp-admin/
  3. If you see “Database update required,” click it and let it run
  4. Test:
    • Home page
    • Login
    • One or two key plugins (cache, forms, ecommerce if you have it)

If anything breaks hard:

  • Re‑upload your backed‑up wp-admin, wp-includes and core root files
  • Restore the DB backup
  • Then check with your host about why the one‑click upgrade is timing out in the first place, or consider bumping PHP / memory limits

So the short version you were asking for:

Replace wp-admin, wp-includes, and the core PHP files in the root.
Leave wp-content, wp-config.php, and host‑specific files alone.
Use something like Commander One on your Mac to drag/overwrite cleanly.

5

Key thing everyone already circled: you’re updating core only, not your content. Let me just fill in a few gaps and edge cases they did not dwell on.

1. What I’d do before touching FTP

I slightly disagree with skipping backups “because it’s just core”:

  • Dump the database from your host panel.
  • Grab a copy of wp-content and wp-config.php via FTP.
  • Check PHP version vs the WP version you are installing. Old PHP is a classic silent-breaker.

This takes a few minutes and saves hours if the update exposes a shaky plugin.

2. What to do if you already half‑broke the site

If the dashboard is already stuck or you got a white screen:

  1. Rename the plugins folder inside wp-content to plugins.off.
    That disables everything at once without deleting.
  2. Reupload the fresh wp-admin and wp-includes from the new download.
  3. Reupload the core root files like wp-load.php, wp-settings.php, wp-login.php and friends.

If it comes back, you know it was a mix of old core plus some plugin. Then rename plugins.off back to plugins and re-enable plugins one by one.

3. Files people forget that can cause weird behavior

Even when you correctly avoid overwriting wp-content and wp-config.php, check these:

  • .htaccess
    If you ever pasted “speed” or “security” snippets from blogs, this can clash after an update. Temporarily rename it to htaccess.off to test.
  • Must-use plugins in wp-content/mu-plugins
    These load before regular plugins and can break things immediately after a core update.

So if you still see HTTP 500 errors after a clean core upload, test with .htaccess disabled and mu-plugins temporarily renamed.

4. About using Commander One vs classic FTP apps

You already got detailed walkthroughs from @vrijheidsvogel, @shizuka and @mikeappsreviewer. I agree with most of that, but here’s a more opinionated comparison.

Commander One pros

  • Dual pane feels like Finder, so it is easier to visually compare local “new WordPress” folder and remote site.
  • Simple drag and overwrite workflow, good for seeing exactly what you are dropping on the server.
  • Handles FTP / SFTP without a lot of configuration noise.

Commander One cons

  • Not as feature heavy for power users as something like a dedicated FTP manager that has queue fine-tuning, sync tools and advanced bookmarks.
  • If you are used to raw FTP clients (like the ones the others mentioned), Commander One can feel a bit “general file manager” rather than surgical.

I still like it for WordPress updates specifically because the side by side view makes it harder to accidentally drag wp-content, which is the number one catastrophic mistake.

5. If your transfers keep timing out too

Since your one‑click update is timing out, the same server limitations might affect FTP transfers:

  • Change FTP client to use SFTP instead of FTP if available. Often more stable.
  • Upload wp-includes and wp-admin in smaller chunks instead of one giant transfer so you can retry specific folders.
  • If your host supports SSH, using a terminal upload (scp / rsync) is more robust than any GUI. Slightly more advanced, but far less fragile.

6. After the update: quick health check list

Once all the new files are up:

  1. Remove any .maintenance file if you created one.
  2. Hit /wp-admin/upgrade.php directly if the dashboard does not prompt for a DB update.
  3. Test:
    • Front page
    • A logged‑in page
    • Admin listing for posts and plugins
    • Any heavy plugin pages like ecommerce or form builders

If any specific page dies, look into its plugin first rather than assuming the core update is bad.

So in short: the others already nailed what to copy. I would just layer on strict backups, careful handling of .htaccess and mu‑plugins, and use Commander One’s dual panes to visually keep wp-content out of the drag so you do not nuke your themes and uploads.