Posts Tagged ‘wordpress’

Installing a Wordpress plugin with SFTP

Like me, you may use SFTP instead of FTP to upload files to your server. Like me, you may also use Wordpress to blog about things. Like me, you may have been a bit disappointed to see that you couldn’t auto-update Wordpress or install plugins through the dashboard as it appeared to only support FTP and FTPS. If none of this made any sense then you might want to check out What is SFTP and why use it? below.

Yet don’t be disheartened O reader for it is a little known fact that Wordpress does allow one to use SFTP! To do this you need to have the appropriate SSH extension for PHP. Luckily Kevin van Zonneveld has written a lovely guide on how one does this. He does note that a new version of libssh2 has been released and I can confirm that it works so when you reach that section you might want to use the following steps instead:

wget http://surfnet.dl.sourceforge.net/sourceforge/libssh2/libssh2-1.0.tar.gz
tar -zxvf libssh2-1.0.tar.gz
cd libssh2-1.0/

After you install libssh, remember to install the PECL module:

pecl install -f ssh2

and modify your php.ini (usually in /etc/php5/apache2/) to include the following beneath Dynamic Extensions

extension=ssh2.so

You’ll probably need to restart Apache afterwards:

/etc/init.d/apache2 restart

Now when you visit the auto-update page you will have a third option to use SSH, as shown in the image above and your Wordpress SFTP days have begun!

What is SFTP and why use it?

SFTP is a replacement for FTP which is much more secure. It is based on SSH and is not to be confused with FTPS (despite similar names, the two are incompatible). SFTP encrypts all the data and commands that are sent to and from the server and provides protection against a number of network security risks. FTP, on the other hand, leaves everything – username, password, data, etc. etc. – in plaintext and so is susceptible to man in the middle attacks.

Needless to say, I’d highly recommend everyone use SFTP and disable their FTP logins.

What is FTPS?

FTPS is FTP running over SSL-enabled FTP servers. This is similar to the difference between HTTP and HTTPS. With FTPS, all the control data (e.g. authentication) is encrypted but the data may not be. This is because if you have already encrypted the data then there is no point having FTPS encrypt it again. Of course, if the data is in plaintext then you can ask FTPS to encrypt it.

The main problem with FTPS is that you need an SSL certificate plus it requires a secondary channel for the data which may cause problems with some firewalls. Of course, SFTP isn’t perfect as well but it’s the one I prefer.

Happy secure data transferring!