As you may be already know, WordPress allows you to install and update plugins,  widgets, themes etc, as well as whole system trough the admin panel. It’s very convenient time-saving feature but it requires you to provide FTP or FTPS credentials every time when its used. It could be really frustrating!

SFTP (SSH over FTP) should not be confused with FTPS (File Transfer Protocol Over SSL). FTP is vulnerable to attacks and should be avoided because the server can only handle usernames and passwords in plain text. So, as many people, I don’t have it installed on my virtual private server. If you feel that you need to install and enable a FTP server, just for WordPress, think twice – you can use SSH instead and I’ll show you how!

Step 1: Install SSH Server

If you haven’t done so yet, don’t worry. It’s easy as 1 – 2 – 3 using Ubuntu as server OS. Just issue the following command in the terminal:

sudo apt-get install openssh-server

Once installed, you can change the port, disable root login and do other changes by editing the config file:

sudo gedit /etc/ssh/sshd_config

Finally restart the SSH server to take changes place:

sudo /etc/init.d/ssh restart

I don’t want to get in details here, because there is a really good tutorial how to secure your SSH server. Take a look at “Step 5” here.

Step 2: Installing PHP’s SSH2 extension

In order to allow PHP to communicate with SSH servers, you should install the pecl SSH2 extension.

pecl install ssh2

After installing the PECL ssh2 extension you will need to modify your PHP configuration to automatically load this extension.

PECL is a repository for PHP Extensions, providing a directory of all known extensions and hosting facilities for downloading and development of PHP extensions. The package is available in most Linux distributions. To install PECL in Ubuntu, type following:

apt-get install php-pear

PECL will recommend you to put “extension=ssh2.so” in your php.ini. Wrong! Since Ubuntu 12.04 there is more clever way to enable/disable PHP modules. There is a separate module configuration file stored in /etc/php5/mods-available. To enable the newly installed SSH2 module, you just need to type:

php5enmod ssh2

This simply creates a symlink from the usual /etc/php5/conf.d/ directory to point to where the real files are in /etc/php5/mods-available, prefixed with a number that indicates the priority of the module. By default, the priority is 20.

If you’re using Apache, restart it with the following command:

sudo service apache2 restart

If you’re a nginx user, use this command:

sudo service php5-fpm restart

Step 3: Creating a separate user the WordPress

It’s good practice to use a separate user with restricted access, allowed to log in over SSH only from localhost. So, if your WordPress is hacked, the intruder will gain limited access to the system.

To create a new user, type

adduser someusername

… and answer the questions.

Step 4: Generating the server-side RSA keys

Now, login as the newly created user and generate the server-side RSA keys.

ssh-keygen

Then, you should  create an “authorized_keys” file using the following commands:

cd .ssh
cp id_rsa.pub authorized_keys

Ensure the files have proper permissions:

cd ~/
chmod 755 .ssh
chmod 644 .ssh/*

Now, if you try to update a plugin, WordPress should present you a SSH option next to the FTP and FTPS ones. You should be able to log in via SFTP without any problems.

Step 5: Automatization

If you want to automate the process a bit more, there are a few more things you can do to make it even easier.

Open up your wp-config.php file and add the following lines of code.

/** SFTP Access */
define('FS_METHOD', 'ssh2');
define('FTP_PUBKEY','/home/wordpress-user/.ssh/id_rsa.pub');
define('FTP_PRIKEY','/home/wordpress-user/.ssh/id_rsa');
define('FTP_USER','wordpress-user');
define('FTP_PASS','');
define('FTP_HOST','127.0.0.1:22');
define('FTP_BASE', '/home/wordpress-user/blog.example-host.net/htdocs/');
define('FTP_CONTENT_DIR', '/home/wordpress-user/blog.example-host.net/htdocs/wp-content/');
define('FTP_PLUGIN_DIR ', '/home/wordpress-user/blog.example-host.net/htdocs/wp-content/plugins/');

Now, when you click “upgrade” or “install” on a new plugin, theme etc, it will bypass the first screen you saw above asking for FTP credentials. It will automatically go into the process and start the install/upgrade.