The newest releases of wordpress (> 2.x) offer a very convenient way to update the core wordpress release and the installed plugins through either FTP or a FTPS connection (FTP via SSL).
FTP has been extended by a standard that describes the operation of FTP over
SSL and TLS. This extension is commonly known as FTPS. It’s a relatively
obvious means of adding security to FTP. SFTP, which is simply a file transfer mechanism
added on top of SSH (stands for Secure SHell).
TLS and SSL are two versions of the same protocol.However FTPS (using TLS) is much more secure for pure transfer of files, as there is no need to have execution rights (which SFTP offers).
This said, the encryption and authentication schemes will be similar but the security is not, as FTPS (FTP over TLS and SSL) allows only for usual FTP activities (generally, this is file transfer), whereas SFTP and SSH allow for the user to execute commands that will run on the server.
However WordPress can only be updated through unsecure FTP or FTPS, as it is absolutely sufficient, SFTP would be a potential security issue.
The following explanation shows how to install a FTPS-enabled FTP Server on Debian Lenny or Debian Etch:
apt-get install vsftpd
VSFTPD should now be installed and anonymous connections are enabled.
Now create a user ftpsecure which we will enable later to ensure VSFTPD has limited rights.
adduser ftpsecure
For establishing a SSL connection, we need later a certificate and the package openssl to run on Debian:
apt-get install openssl
Now let us create the needed keys:
openssl req -new -x509 -days 365 -keyout vsftp.key -out vsftp.cr
Cleaning the passphrase:
openssl rsa -in vsftp.key -out vsftp_clean.key
and now we are copying and concatenating the key and the new certificate into the appropriate folders:
cat vsftp.crt vsftp_clean.key > /usr/share/ssl-cert/vsftpd.pem
You should now update the configuration file of VSFTPD to look somehow similar to the following template. The file is located at
vi /etc/vsftpd.conf
#
# written by Jeannot Muller
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
# Run standalone with IPv6?
# Like the listen parameter, except vsftpd will listen on an IPv6 socket
# instead of an IPv4 one. This parameter and the listen parameter are mutually
# exclusive.
listen_ipv6=no
# Allow anonymous FTP?
anonymous_enable=NO
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=no
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
# enable any form of FTP write command
write_enable=YES
# Activate logging of uploads/downloads.
xferlog_enable=YES
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpsecure
ftpd_banner=”Welcome to ftp-server (logging activated)”
local_enable=YES
file_open_mode=0755
local_umask=022
local_max_rate=50000
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
# Activating logs and paths
syslog_enable=YES
log_ftp_protocol=YES
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
xferlog_std_format=YES
xferlog_file=/var/log/xferlog
# SSL Switch on
ssl_enable=YES
allow_anon_ssl=NO
# Encrypt Login
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
# Encrypt all data exchange
force_local_data_ssl=YES
# Position of the certificate
rsa_cert_file=/usr/share/ssl-cert/vsftpd.pem
pam_service_name=vsftpd
If you are using the above configuration file, please pay attention to add those users, where you don’t want to limit access to their home folders only (probably the one for your wordpress update) to /etc/vsftpd.chroot_list:
vi /etc/vsftpd.chroot_list
