Auto-Update Wordpress With SFTP
Installing a Wordpress plugin with SFTP
Like me, you may use SFTP instead of FTP to upload files to your server. Like me, you may also use Wordpress to blog about things. Like me, you may have been a bit disappointed to see that you couldn’t auto-update Wordpress or install plugins through the dashboard as it appeared to only support FTP and FTPS. If none of this made any sense then you might want to check out What is SFTP and why use it? below.
Yet don’t be disheartened O reader for it is a little known fact that Wordpress does allow one to use SFTP! To do this you need to have the appropriate SSH extension for PHP. Luckily Kevin van Zonneveld has written a lovely guide on how one does this. He does note that a new version of libssh2 has been released and I can confirm that it works so when you reach that section you might want to use the following steps instead:
wget http://surfnet.dl.sourceforge.net/sourceforge/libssh2/libssh2-1.0.tar.gz tar -zxvf libssh2-1.0.tar.gz cd libssh2-1.0/
After you install libssh, remember to install the PECL module:
pecl install -f ssh2
and modify your php.ini (usually in /etc/php5/apache2/) to include the following beneath Dynamic Extensions
extension=ssh2.so
You’ll probably need to restart Apache afterwards:
/etc/init.d/apache2 restart
Now when you visit the auto-update page you will have a third option to use SSH, as shown in the image above and your Wordpress SFTP days have begun!
What is SFTP and why use it?
SFTP is a replacement for FTP which is much more secure. It is based on SSH and is not to be confused with FTPS (despite similar names, the two are incompatible). SFTP encrypts all the data and commands that are sent to and from the server and provides protection against a number of network security risks. FTP, on the other hand, leaves everything – username, password, data, etc. etc. – in plaintext and so is susceptible to man in the middle attacks.
Needless to say, I’d highly recommend everyone use SFTP and disable their FTP logins.
What is FTPS?
FTPS is FTP running over SSL-enabled FTP servers. This is similar to the difference between HTTP and HTTPS. With FTPS, all the control data (e.g. authentication) is encrypted but the data may not be. This is because if you have already encrypted the data then there is no point having FTPS encrypt it again. Of course, if the data is in plaintext then you can ask FTPS to encrypt it.
The main problem with FTPS is that you need an SSL certificate plus it requires a secondary channel for the data which may cause problems with some firewalls. Of course, SFTP isn’t perfect as well but it’s the one I prefer.
Happy secure data transferring!
Tags: sftp, tips, wordpress
Add a Comment Trackback
[...] UPDATE: Actually, it's possible to do this. Find more information at: Auto-Update WordPress with SFTP. WordPress allows you to update plugins with FTP or FTPS, but not [...]
Dude, thank you!
I installed libssh2 and restarted Apache, but that didn’t change anything. Am I missing something?
Hey Austin. Did you follow the instructions on Kevin’s blog to use PECL to link PHP and libssh together, plus changing the php.ini file?
I’ll update my post to include this info.
I think that I did, but I’ll look into it tomorrow. I’ll just do a test script to see if libssh installed. Thanks! :)
[...] Devioustree [...]
Do you know if it can run with lighttpd ?
thanks for the tip. im using ssh keys for login. so am i have to upload my private key to my account?
Like you, I would run a mile before using FTP for anything. Like you I was pretty disappointing to find that SSH support was not there. I even went about to add it myself only to find that it’s present but has been disabled because the SSH extension wasn’t available
james: you need to have your public key in the ~/.ssh/authorized_keys file but wordpress asks you to place both files on the server (both the public and the private) I don’t think it’s a good idea better to use password authentication. But of course all this is pointless if you don’t run the wordpress admin area over SSL.
Thank you for this info, was looking for quite a while on how to do this…plenty of outdated info out there.
I am having trouble with this.
I am running php entropy (php5-5.2.5-6-beta) on Mac OSX Serve 10.5.8. And I successfully installed libssh2-1.1 and did a pecl -f ssh2 successfully.
I go through all the steps without problem, but ssh2 is never activated. ssh2.so gets created and put into “/usr/lib/php/extensions/no-debug-non-zts-20060613/”
and my php.ini file has:
extension_dir = “/usr/lib/php/extensions/no-debug-non-zts-20060613/”
extensions=ssh2.so
Here is a php_info() page for everything on my server:
http://studentdev.jour.unr.edu/derak/images/rlb/
ssh2 should be showing up in my “Registered PHP Streams” section, but it is not.
Any ideas? I feel like I’ve tried everything here.
Hey Derak,
I’ll try and have a more detailed look over the weekend but I’ve found some possible help. I realise it’s from 2005 but there might be something in there (specifically the second post which contains a lot of info) that might help.
Another thing, is there any mention in the apache logs about any trouble trying to load the ssh2 module?
Like you, I am trying to implement this solution. But I’m having difficulty getting around the fact that your first three sentences are so utterly grammatically incorrect. They should all begin with “Like me”. Please reference http://www.drgrammar.org/faqs/#34 for an adequate explanation or you can simple tell me that I can go (expletive deleted) myself.
Ahem
I don’t know what grammatical errors you are referring to…
Ok, I admit it. I did not know about that particular grammatical rule. Thanks for pointing it out. You learn something new every day :)
HaHa. BTW the directions were SPOT ON. Thanks!
I can’t find any errors about trying to load ssh2 in the apache log, but I am not sure I am looking in the correct place for the error log…
Thanks a lot , I have been digging around for a while to solve this issue !
clean tutorial …
trying to install pecl module, I got an error
5 source files, building
running: phpize
sh: phpize: command not found
ERROR: `phpize’ failed
which I solved installing the php5-dev packet ( I am not a php developer )
then .. installed ! and wordpress displaying the SSH choice
erwin
@zobi8225: yes. Just add extension=ssh2.so into the php5/cgi/php.ini and restart lighttpd.
@zobi8225: yes just add the extension=ssh2.so line to php5/cgi/php.ini (or php5/cli/php.ini if your installation uses that)
Adding SFTP support to PHP with libssh2 is an absolute nightmare. Just take a look at all the posts on Kevin’s blog (as linked to above). And to think that for every one person who got it working ten people probably gave up. That’s a pretty sad testament to the ssh2 PECL extension.
And, of course, all of that assumes you even have that kind of access to the server. Those of us on shared hosts don’t even have that. Sure, we can switch webhosts, but we can also switch webapps, too.
Really, I don’t know why the Wordpress devs don’t just add phpseclib support.
Does it work for plugins too? or just for the main wordpress? and what about wordpress MU?
Yes, this works for plugins as well. I’m pretty confident it would work for Wordpress MU too but I haven’t tried it.
I just run vsftpd with listen_address=127.0.0.1 . This way users have SFTP access to server but for Wordpress they can just use FTP with ‘localhost’ as a hostname and remote FTP connections are not possible