Probably because I installed WordPress from the package, although it is a fresh installation, there are already plugins, themes to be updated.
The problem is this can only be done by FTP or FTPS (SSL) and you need to provide your FTP credentials, such as a hostname, FTP username, and FTP password. As you probably know FTP is not really secure.
In this post, I will describe the needed changes to enable and use SFTP (SSH).
This post is inspired on the following HowTo that describes the process on Ubuntu.
Installation of the needed packages
# sudo apt-get update # sudo apt-get install php5-dev libssh2-1-dev libssh2-php
Creation of a backend user
The goal of this user would be to separate the owner of the WordPress site from the user running the web server usually www-data
To create the user, you can issue the usual command: adduser
# sudo adduser wordpress-user
The system will ask you different questions in order to create the user.
- in Debian contrary to Ubuntu, by default, it is not possible to create a user without a password, so just set a password for that new user.
- This new user (wordpress-user) can be whatever you want, it should not be the WordPress admin site nor the db user, if you created a different user, you need to replace in all commands.
Create SSH key for the WordPress’s user
To avoid to have to provide the credentials of the user we just created, we are going to create the SSH key.
Log in as the « wordpress-user » we just created
sudo su - wordpress-user
Let’s create the keys with ssh-keygen
ssh-keygen -t rsa -b 4096
You can choose the name and location of the key but if you accept the default, it will create:
When you are prompted for the passphrase just press enter to let it empty.
Change permissions and ownership
If like me you installed WordPress using the package and so the command « sudo apt-get install wordpress », most probably all the WordPress’s files are owned by the root user.
You have to update the ownership of the files under the wp-content (by default /var/lib/wordpress/wp-content) folder to the user you just created (wordpress-user) and you need also to ensure the user running the web server, usually www-data, has access to those files.
# chown -R wordpress-user:www-data /var/lib/wordpress/wp-content # chown -R wordpress-user:www-data /etc/wordpress/config-myblog.example.com.php
- In the configuration file (in our example: /etc/wordpress/config-myblog.example.com.php),
you can specify a specific location for the « wp_content » folder like this:
define('WP_CONTENT_DIR', '<the location of your choice');
For this installation, I created a new folder
# sudo mkdir /etc/wordpress/myblog.example.com # sudo chown wordpress-user:www-data /etc/wordpress/myblog.example.com # sudo cp -R /var/lib/wordpress/wp-content /etc/wordpress/myblog.example.com/
And updated the configuration file
This is particularly useful if you plan to run a wordpress multisite, in that case you need to adapt the permission on the specify folder and also adapt you apache vhost to access the correct folder by replacing /var/lib/wordpress/wp-content with the directory you want to use (in the example: /etc/wordpress/myblog.example.com/wp-content)
- it is not needed to update the authorization for the wordpress folder under /usr/share/
Update the permission for the generated keys
# sudo chown wordpress-user:wordpress-user /home/wordpress-user/.ssh/ # sudo chmod 0700 /home/wordpress-user/.ssh/ # sudo chmod 0640 /home/wordpress-user/.ssh/id_rsa*
Allow the user to login using that key
# sudo cd /home/wordpress-user/.ssh/ # sudo cp id_rsa.pub authorized_keys # sudo chown wordpress-user:wordpress-user authorized_keys # sudo chmod 0644 authorized_keys
Adjust the authorized_keys file to only allow is used on the local IP
# sudo nano /home/wordpress-user/.ssh/authorized_keys
Add at the beginning of the line, the source restriction
Update your wordpress config file
You need to update your wordpress config file to use the SSH Keys by default
# nano /etc/wordpress/config-myblog.example.com.php
include the following lines:
define('FTP_PUBKEY','/home/wordpress-user/.ssh/id_rsa.pub'); define('FTP_PRIKEY','/home/wordpress-user/.ssh/id_rsa'); define('FTP_USER','db-user'); define('FTP_PASS','db-password'); define('FTP_HOST', '127.0.0.1:22');
- FTP_PUBKEY and FTP_PRIKEY location depends on the location u chose when running the ssh-keygen command
- FTP_USER and FTP_PASSWORD are the credentials to access the database, it is not the « wordpress-user » created in this post
- FTP_HOST, here we use the local IP address and the ssh port, by default 22 but if you updated it, you need also to update there
Restart the web server
sudo service apache2 restart
Test the new configuration
To test your new configuration, log into the admin page and try to install a new theme or plugin.