As you may be already know, WordPress allows you to install and update plugins, widgets, themes etc, as well as whole system trough the admin panel. It’s very convenient time-saving feature but it requires you to provide FTP or FTPS credentials every time when its used. It could be really frustrating!
SFTP (SSH over FTP) should not be confused with FTPS (File Transfer Protocol Over SSL). FTP is vulnerable to attacks and should be avoided because the server can only handle usernames and passwords in plain text. So, as many people, I don’t have it installed on my virtual private server. If you feel that you need to install and enable a FTP server, just for WordPress, think twice – you can use SSH instead and I’ll show you how!
Step 1: Install SSH Server
If you haven’t done so yet, don’t worry. It’s easy as 1 – 2 – 3 using Ubuntu as server OS. Just issue the following command in the terminal:
sudo apt-get install openssh-server
Once installed, you can change the port, disable root login and do other changes by editing the config file:
sudo gedit /etc/ssh/sshd_config
Finally restart the SSH server to take changes place:
sudo /etc/init.d/ssh restart
I don’t want to get in details here, because there is a really good tutorial how to secure your SSH server. Take a look at “Step 5” here.
Step 2: Installing PHP’s SSH2 extension
In order to allow PHP to communicate with SSH servers, you should install the pecl SSH2 extension.
pecl install ssh2
After installing the PECL ssh2 extension you will need to modify your PHP configuration to automatically load this extension.
PECL is a repository for PHP Extensions, providing a directory of all known extensions and hosting facilities for downloading and development of PHP extensions. The package is available in most Linux distributions. To install PECL in Ubuntu, type following:
apt-get install php-pear
PECL will recommend you to put “extension=ssh2.so” in your php.ini. Wrong! Since Ubuntu 12.04 there is more clever way to enable/disable PHP modules. There is a separate module configuration file stored in /etc/php5/mods-available. To enable the newly installed SSH2 module, you just need to type:
This simply creates a symlink from the usual /etc/php5/conf.d/ directory to point to where the real files are in /etc/php5/mods-available, prefixed with a number that indicates the priority of the module. By default, the priority is 20.
If you’re using Apache, restart it with the following command:
sudo service apache2 restart
If you’re a nginx user, use this command:
sudo service php5-fpm restart
Step 3: Creating a separate user the WordPress
It’s good practice to use a separate user with restricted access, allowed to log in over SSH only from localhost. So, if your WordPress is hacked, the intruder will gain limited access to the system.
To create a new user, type
… and answer the questions.
Step 4: Generating the server-side RSA keys
Now, login as the newly created user and generate the server-side RSA keys.
Then, you should create an “authorized_keys” file using the following commands:
cd .ssh cp id_rsa.pub authorized_keys
Ensure the files have proper permissions:
cd ~/ chmod 755 .ssh chmod 644 .ssh/*
Now, if you try to update a plugin, WordPress should present you a SSH option next to the FTP and FTPS ones. You should be able to log in via SFTP without any problems.
Step 5: Automatization
If you want to automate the process a bit more, there are a few more things you can do to make it even easier.
Open up your wp-config.php file and add the following lines of code.
/** SFTP Access */ define('FS_METHOD', 'ssh2'); define('FTP_PUBKEY','/home/wordpress-user/.ssh/id_rsa.pub'); define('FTP_PRIKEY','/home/wordpress-user/.ssh/id_rsa'); define('FTP_USER','wordpress-user'); define('FTP_PASS',''); define('FTP_HOST','127.0.0.1:22'); define('FTP_BASE', '/home/wordpress-user/blog.example-host.net/htdocs/'); define('FTP_CONTENT_DIR', '/home/wordpress-user/blog.example-host.net/htdocs/wp-content/'); define('FTP_PLUGIN_DIR ', '/home/wordpress-user/blog.example-host.net/htdocs/wp-content/plugins/');
Now, when you click “upgrade” or “install” on a new plugin, theme etc, it will bypass the first screen you saw above asking for FTP credentials. It will automatically go into the process and start the install/upgrade.