WordPress – SFTP update on Debian

By | 20 September 2017 |
Reading Time: 3 minutes

Probably because I installed WordPress from the package, although it is a fresh installation, there are already plugins, themes to be updated.
The problem is this can only be done by FTP or FTPS (SSL) and you need to provide your FTP credentials, such as a hostname, FTP username, and FTP password. As you probably know FTP is not really secure.

In this post, I will describe the needed changes to enable and use SFTP (SSH).

This post is inspired on the following HowTo that describes the process on Ubuntu.

Installation of the needed packages

# sudo apt-get update
# sudo apt-get install php5-dev libssh2-1-dev libssh2-php

Creation of a backend user

The goal of this user would be to separate the owner of the WordPress site from the user running the web server usually www-data

To create the user, you can issue the usual command: adduser

# sudo adduser wordpress-user

The system will ask you different questions in order to create the user.

Remarks:

  1. in Debian contrary to Ubuntu, by default, it is not possible to create a user without a password, so just set a password for that new user.
  2. This new user (wordpress-user) can be whatever you want, it should not be the WordPress admin site nor the db user, if you created a different user, you need to replace in all commands.

Create SSH key for the WordPress’s user

To avoid to have to provide the credentials of the user we just created, we are going to create the SSH key.

Log in as the “wordpress-user” we just created

sudo su - wordpress-user

Let’s create the keys with ssh-keygen

ssh-keygen -t rsa -b 4096

You can choose the name and location of the key but if you accept the default, it will create:

  • /home/wordpress-user/.ssh/id_rsa
  • /home/wordpress-user/.ssh/id_rsa.pub

When you are prompted for the passphrase just press enter to let it empty.

Change permissions and ownership

If like me you installed WordPress using the package and so the command “sudo apt-get install wordpress”, most probably all the WordPress’s files are owned by the root user.
You have to update the ownership of the files under the wp-content (by default /var/lib/wordpress/wp-content) folder to the user you just created (wordpress-user) and you need also to ensure the user running the web server, usually www-data, has access to those files.

# chown -R wordpress-user:www-data /var/lib/wordpress/wp-content
# chown -R wordpress-user:www-data /etc/wordpress/config-myblog.example.com.php

Remarks:

  • In the configuration file (in our example: /etc/wordpress/config-myblog.example.com.php),
    you can specify a specific location for the “wp_content” folder like this:
define('WP_CONTENT_DIR', '<the location of your choice');

For this installation, I created a new folder

# sudo mkdir /etc/wordpress/myblog.example.com
# sudo chown wordpress-user:www-data /etc/wordpress/myblog.example.com
# sudo cp -R /var/lib/wordpress/wp-content /etc/wordpress/myblog.example.com/

And updated the configuration file

define('WP_CONTENT_DIR', '/etc/wordpress/myblog.example.com/wp-content');

This is particularly useful if you plan to run a wordpress multisite, in that case you need to adapt the permission on the specify folder and also adapt you apache vhost to access the correct folder by replacing /var/lib/wordpress/wp-content with the directory you want to use (in the example: /etc/wordpress/myblog.example.com/wp-content)

  • it is not needed to update the authorization for the wordpress folder under /usr/share/

Update the permission for the generated keys

# sudo chown wordpress-user:wordpress-user /home/wordpress-user/.ssh/
# sudo chmod 0700 /home/wordpress-user/.ssh/
# sudo chmod 0640 /home/wordpress-user/.ssh/id_rsa*

Allow the user to login using that key

# sudo cd /home/wordpress-user/.ssh/
# sudo cp id_rsa.pub authorized_keys
# sudo chown wordpress-user:wordpress-user authorized_keys
# sudo chmod 0644 authorized_keys

Adjust the authorized_keys file to only allow is used on the local IP

# sudo nano /home/wordpress-user/.ssh/authorized_keys

Add at the beginning of the line, the source restriction

from="127.0.0.1" ssh-rsa...

Update your wordpress config file

You need to update your wordpress config file to use the SSH Keys by default

# nano  /etc/wordpress/config-myblog.example.com.php

include the following lines:

define('FTP_PUBKEY','/home/wordpress-user/.ssh/id_rsa.pub');
define('FTP_PRIKEY','/home/wordpress-user/.ssh/id_rsa');
define('FTP_USER','db-user');
define('FTP_PASS','db-password');
define('FTP_HOST', '127.0.0.1:22');

Remarks:

  1. FTP_PUBKEY and FTP_PRIKEY location depends on the location u chose when running the ssh-keygen command
  2. FTP_USER and FTP_PASSWORD are the credentials to access the database, it is not the “wordpress-user” created in this post
  3. FTP_HOST, here we use the local IP address and the ssh port, by default 22 but if you updated it, you need also to update there

Restart the web server

sudo service apache2 restart

Test the new configuration

To test your new configuration, log into the admin page and try to install a new theme or plugin.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.