Enable WordPress SFTP Updates

written by William Patton on April 25, 2012 in Server Management and WordPress Custom with 11 comments

UPDATED: August 2017.

I’ve learned a lot since I wrote this post. I realize the naivety of having the ability to install software on the server but not being able to update the files through CLI. Like I said: I have learned a lot. There has been some rewording, better formatting and additional information added to this post but it is essentially left as it was – even though it’s slightly embarrassing for me to let people know I once worked so inefficiently.

When you are updating WordPress, or any themes and plugins you might be asked for access credentials, like FTP details. FTP is not the only connection method offered – if your server has the ability it might also give the option to use SFTP with username and password – or even with a private/public key pair.

There are a number or reasons WordPress might ask for credentials to install something or perform an update. The most common is inconsistent file permission and executing files as a user that doesn’t own them. The server user may execute the files as apache but apache may not have permission to overwrite files created or owned by your FTP user. Inconsistent file permissions paired with mismatched usergroups and can result in all kinds of nightmares.

Performing Updates Without Username And Password

To allow WordPress to run updates through the dashboard – and, most importantly, perform automated updates when security releases happen – you should make sure that the user running the PHP scripts has permission to read and write the files and directories that it needs to.

There might be legitimate reasons to have file owner and server user different. Certain security policies may require such configurations (on shared hosts this is employed often). Most of the time you will want WordPress to have permission to modify all, or most, of the files that make up it’s whole installation.

  • An easy way (but the WORST way) to give make this happen is to set file permissions to 777. Owner, Group and Public can execute the files. If the groups are configured correctly 755 would be a better option.
  • Run PHP as the file owner instead of the server user. Another workaround would be to make sure that after uploading files with your user account the owner is changed to the server owner or execution permissions is granted to the user group that you share but that can be a pain to manage on each upload.

Both options would work but the 2nd option is by far the better choice.

WordPress Core Updates via SFTP

If you are prompted for credentials at install or update and want to make sure that the connection is secure you should use SFTP instead of standard FTP. If all you have is the option for FTP you will need to install a small piece of software on the server. If you’re not allowed to install software, or are otherwise unable to get SFTP and SSH enabled for updates, then contact me or leave a comment, and I’ll help you however I can.

Sometimes files are not stored on the machine that they are directly served to the visitor from. When you connect through the dashboard to the backend server you’re not always talking to the same machine. The connection may travel through the internet and in those situations it’s better to connect to the storage location with as secure a connection as possible. SFTP is probably the most secure connection you will be able to make with any kind of standard WP installation.

My initial investigation into this was because I kept receiving the ‘Failed to connect to FTP Server‘ error when trying to run a WordPress Core update through the dashboard on one of my sites. I had double checked the FTP user and password and even created a new user just for this very purpose – but still it failed. Farther testing in showed that no response was being recieved from the connection attempt at all. I was perfectly able to connect using SFTP just like I usually do though.

It turns out the FTP server on this particular server I had configured to use different ports to stave off a brute force attempt. The FTP server was running on non-default ports, which I had long forgotten.

So the situation was: WordPress Core update needing done. The first way of doing so that came to mind was via manually uploading the files through SFTP. Eeek…

I really didn’t like the idea of doing that with over a dozen different WordPress instances so I found a slightly better way. Enable SFTP over SSH in my WordPress install. After a little bit of thought and some searching I found that Jon over at Snowulf had found the exact solution that I was looking for. He even had the exact commands to issue in a shell terminal on my server.

All I had to do was install “libssh2-php” – which is the PHP bindings for libssh2 and restart Apache. It worked a treat and now any time that WordPress needs to update files it can do so with a secure connection the the file server.

Note: Thanks to Chris Barklow who pointed out in the comments that if you’re not logged in as the root user you need to sudo to restart Apache. You might also need it to install packages depending on your security set-up. I’ve updated the commands to show that.

Installing libssh2.php is a piece of cake on Ubuntu, just connect to your server however you like and run these commands:

sudo apt-get install libssh2-php
sudo /etc/init.d/apache2 restart

If you run a distro other than Ubuntu then you should still be able to find ssh2 by searching your package manager for “libssh2“, installing and then restarting Apache.

Next time you see the connection screen you will have the choice of connecting via SSH which will use SFTP. All you need to enter is your username and password, or your key if you have that set up on the server, and treat it the same as the old FTP upload screen provided in WordPress.