enabling web interface updates over FTP or directly

Wordpress can be updated on the command line or the graphical side in the web browser. But in order to do that you need write permission on the server as the user www-data (the webs server), or, ftp access to upload files from wordpress.org to the server you are hosted at.

Hence, you can either set the website to be owned by the webserver (and risk that vulnerabilities to the webserver affect your website), or you can enable FTP. The default is to let the webserver (www-data) have write permission:

chown -R www-data:www-data /var/www/wordpress/

chmod -R 775 /var/www/wordpress/

To enable FTP, create a user specifically for the purpose on the server's FTP service and give them ownership of the wordpress folder. Put the following code into the wp-config.php file

define( 'FS_METHOD', 'direct' );

define( 'FTP_BASE', 'www.myserver.com/www/wordpress' );

define( 'FTP_CONTENT_DIR', 'www.myserver.com/www/wordpress/wp-content/' );

define( 'FTP_PLUGIN_DIR ', 'www.myserver.com/www/wordpress/wp-content/plugins/' );

define( 'FTP_USER', 'ftp_username' );

define( 'FTP_PASS', 'ftp_password' );

define( 'FTP_HOST', 'localhost:port' );

define( 'FTP_SSL', true );

Obviously the risk here is the FTP password is clear-text meaning anyone on the server command line can subsequently login as that FTP user. Hence you need to secure the FTP service, e.g. chroot that FTP user to only have write permission in /var/www/wordpress/

Popular posts from this blog

bash + python script to find wordpress malware and delete it.

turning on debug mode