Enable WordPress SFTP Updates
UPDATED: August 2017.
I’ve learned a lot since I wrote this post. I realize the naivety of having the ability to install software on the server but not being able to update the files through CLI. Like I said: I have learned a lot. There has been some rewording, better formatting and additional information added to this post but it is essentially left as it was – even though it’s slightly embarrassing for me to let people know I once worked so inefficiently.
When you are updating WordPress, or any themes and plugins you might be asked for access credentials, like FTP details. FTP is not the only connection method offered – if your server has the ability it might also give the option to use SFTP with username and password – or even with a private/public key pair.
There are a number or reasons WordPress might ask for credentials to install something or perform an update. The most common is inconsistent file permission and executing files as a user that doesn’t own them. The server user may execute the files as
apache may not have permission to overwrite files created or owned by your FTP user. Inconsistent file permissions paired with mismatched usergroups and can result in all kinds of nightmares.
Performing Updates Without Username And Password
To allow WordPress to run updates through the dashboard – and, most importantly, perform automated updates when security releases happen – you should make sure that the user running the PHP scripts has permission to read and write the files and directories that it needs to.
There might be legitimate reasons to have file owner and server user different. Certain security policies may require such configurations (on shared hosts this is employed often). Most of the time you will want WordPress to have permission to modify all, or most, of the files that make up it’s whole installation.
- An easy way (but the WORST way) to give make this happen is to set file permissions to 777. Owner, Group and Public can execute the files. If the groups are configured correctly 755 would be a better option.
- Run PHP as the file owner instead of the server user. Another workaround would be to make sure that after uploading files with your user account the owner is changed to the server owner or execution permissions is granted to the user group that you share but that can be a pain to manage on each upload.
Both options would work but the 2nd option is by far the better choice.
WordPress Core Updates via SFTP
If you are prompted for credentials at install or update and want to make sure that the connection is secure you should use SFTP instead of standard FTP. If all you have is the option for FTP you will need to install a small piece of software on the server. If you’re not allowed to install software, or are otherwise unable to get SFTP and SSH enabled for updates, then contact me or leave a comment, and I’ll help you however I can.
Sometimes files are not stored on the machine that they are directly served to the visitor from. When you connect through the dashboard to the backend server you’re not always talking to the same machine. The connection may travel through the internet and in those situations it’s better to connect to the storage location with as secure a connection as possible. SFTP is probably the most secure connection you will be able to make with any kind of standard WP installation.
My initial investigation into this was because I kept receiving the ‘Failed to connect to FTP Server‘ error when trying to run a WordPress Core update through the dashboard on one of my sites. I had double checked the FTP user and password and even created a new user just for this very purpose – but still it failed. Farther testing in showed that no response was being recieved from the connection attempt at all. I was perfectly able to connect using SFTP just like I usually do though.
It turns out the FTP server on this particular server I had configured to use different ports to stave off a brute force attempt. The FTP server was running on non-default ports, which I had long forgotten.
So the situation was: WordPress Core update needing done. The first way of doing so that came to mind was via manually uploading the files through SFTP. Eeek…
I really didn’t like the idea of doing that with over a dozen different WordPress instances so I found a slightly better way. Enable SFTP over SSH in my WordPress install. After a little bit of thought and some searching I found that Jon over at Snowulf had found the exact solution that I was looking for. He even had the exact commands to issue in a shell terminal on my server.
All I had to do was install “libssh2-php” – which is the PHP bindings for libssh2 and restart Apache. It worked a treat and now any time that WordPress needs to update files it can do so with a secure connection the the file server.
Note: Thanks to Chris Barklow who pointed out in the comments that if you’re not logged in as the root user you need to
sudo to restart Apache. You might also need it to install packages depending on your security set-up. I’ve updated the commands to show that.
Installing libssh2.php is a piece of cake on Ubuntu, just connect to your server however you like and run these commands:
sudo apt-get install libssh2-php sudo /etc/init.d/apache2 restart
If you run a distro other than Ubuntu then you should still be able to find ssh2 by searching your package manager for “libssh2“, installing and then restarting Apache.
Next time you see the connection screen you will have the choice of connecting via SSH which will use SFTP. All you need to enter is your username and password, or your key if you have that set up on the server, and treat it the same as the old FTP upload screen provided in WordPress.
Glad I could be of assistance! Rock on!
HI, what about custom port?
Firstly let me say thanks for visiting my site! I’ll do my best to help you if I can.
What do you want to get running on a custom port? Changing the ftp/ssh ports are easy just edit the config files associated with the service. The sshd config file will probably be located: /etc/ssh/sshd_config so just use
nano /etc/ssh/sshd_config(of any other editor you want) to edit it then restart the service. The ftp config file might be in a load of different locations depending on what package controls it so if you need help finding that out send me an email and I’ll give you a hand.
As for getting WordPress to use a different connection port – I’m not entirely sure how to do that through the admin panel, there is likely a plugin but I don’t know of one. You can, however, define the connection preferences for WP to use in the wp-config.php file like so:
you can specify a custom port after the ” : ” and you might also need to include the rest of the connection details, the full list of constants that you might need would be:
define('FTP_PLUGIN_DIR ', '/path/to/wordpress/wp-content/plugins/');
Those are all the constants you might need for both ftp or ssh.
If you have any other problems just give me a shout and I’ll be happy to help out wherever I can.
Just wanted to say this article was a huge help for me! I was having a heck of a time trying to figure out how to connect via SFTP to update plugins and install themes and your solution worked like a charm. One note, since I wasn’t connected to my server as root I had to add “sudo” in front of the apache2 restart command to get that to work. Thanks again!
Glad I could help, Chris.
That’s a good point about needing to have root privileges to restart Apache. I’ll add a note to the article about it for anyone who needs to know that in the future.
If you need any more help with anything WP or Server related feel free to give me a shout anytime 🙂
Thanks for your post!
Unfortunately I still can’t get WP updates/plugin installs to work over SSH (FTP over SSH).
The error I’m getting:
“Failed to connect to SSH2 Server servername:portnumber”
Some information about my environment:
– Standard Centos 6.5 install with LAMP
– I use a non-standard SSH port (iptables is also configured)
– Apache is configured with some virtual hosts
– WP is installed on 1 of the vhosts, there is 1 specific WP user in centos that I use for SFTP and installing plugins (at least ‘trying to use for installing plugins’ 😉
– Installed the ssh2 package (yum install gcc php-devel php-pear libssh2 libssh2-devel)
– Added line with “extension=ssh2.so” to /etc/php.d/ssh2.ini
– Created a key pair for the SFTP user (tried with 4096 bytes and 2048)
– Set permissions and ownership of the priv/pub/authkeys to the SFTP user
I have changed every FTP value in the connection information when a plugin is about to be installed, to see if this error also happens with an incorrect user/pass/keylocation, but unfortunately it does…so I’m guessing that the ‘process’ doesn’t even get to the point of checking credentials and stuff.
I have the feeling that I have a very default setup, all tutorials I have read apply to my situation.
So my main question is, do you recognize this situation? Is there a way to check where this connection bumps into? (I mean something error-log like…). Or do I need to configure something in the ssh2 php package?
Thanks in advance! If I should provide more information, please let me know!
Glad you found this post useful but sorry you still can’t get it to work. I’ve never actually used this technique with a keypair so can’t comment on that side of things but I do know that when I installed this originally (on ubuntu) it worked right out of the box. Since then I’ve installed it on a bunch of different CentOS boxes by installing the libssh2 and libssh2-devel packages and again it works after install – no additional steps required.
I have a feeling that the issue here has something to do with the custom port your running the ssh daemon on. I don’t remember correctly but is there a way of you telling WP to try connect to your custom port number on the install screen? Additionally there could be permission based issues with you using a different user to upload files than the server owner – need to make sure that your WP SFTP user has permissions to edit files owned by the server owner. Not that you would have encountered any permissions issues yet because you haven’t actually managed to get this to upload anything lol
Also it’s been a while since I’ve saw this install screen because I run the upload script (and all php) as the server owner so it doesn’t need me to add any credentials – because the user already has permissions to modify files in that directory. Maybe you want to get it to work like this (no user and pass needed to install/update).
The reason I wanted to allow sftp uploads and updates was because I couldn’t actually connect to ftp on the box I had the sites running on (due to it being a custom port and me not knowing) so I’m curious as to your reasons for needing to use sftp. Obviously it’s much more secure for sending credentials and securing the data in transit – which is a great reason in it’s self! But are there any other reasons why you need to do it with sftp?
Thanks for your suggestions!
I know that the ssh2 package is installed and running (checked in a test php file and using “php -m | grep sshs”). And the WordPress connection screen also provides the SSH2 type of connection, so I am guessing that this is not the issue.
I will try it with the standard SSH port, you might be right that this is messing up the WP connection.
You also mentioned that you have never used this technique with a keypair… I thought that using SSH2 always requires you to use a set of keys instead of a single password. Optionally with a passphrase (which I haven’t used).
Is it possible to authenticate through SSH2 without using keys?
The SFTP user I want to use is the owner of the WP instance and all it’s folders and files, this should be enough, right?
The only reason for me to use SFTP is because of security. I don’t want to run an FTP server on my machine, so ftp over SSH seems like the most logical way of transferring files…
I forgot to mention this previously but you can actually define the port you want to connect to in the
wp-config.phpfile using this code:
I know it asks for the
FTP_HOSTbut the value gets used for all connections methods (including SSH). Just put whatever your host and port number in there and add it to the config file.
It is possible to authenticate through SSH without the use of a keypair using just a password. Using that method the user account is no more secure from unauthorized access than a standard FTP user but at least the transfer is still being encrypted.
If you use keypairs then there’s no reason to revert to using a standard username and password system 🙂
As far as the SFTP user being the owner of the files and folders – that’s how it should be but simply having the user own the files isn’t enough to bypass the ftp details screen. The reason it works for me is because I also execute the files as the SFTP user.
Most standard hosting configurations I’ve seen run php files as the ‘apache’ user. I’ve changed that on my server so that I run them in FastCGI mode as the virtual host’s owner – which is a local user account.
The user that runs the files is the same user that I upload files as. If a local user wants to edit files that it owns then it can do so freely so there is no connection required – so no extra authentication needed and no reason for WP to show the ftp screen.
Thanks again William, for your extensive answer.
Tried all your suggestions, even setting the user back to authentication without keys, no luck.
Also tried setting back the SSH port to the default one, but this didn’t also do anything.
I guess I will manually install and update WordPress and the plugins, as this will not happen that often. I really don’t want to run an FTP server on my machine because of the security.
Thanks for all your help!
Hey again Emile,
I don’t really know what to suggest you try and do next to get this working. Doing manual updates for now isn’t much of a problem but long term it could get really frustration.
Since you’ve got access to the server it’s probably an idea to take a look in the logs and see if any errors are being reported there. On CentOS those are usually stored at
/var/logs/Sometimes there’s an apache folder there but other times apache reports to a custom destination. First check
/var/log/messages/and see if the connection is being refused.
There’s gotta be output of some kind somewhere that we can use to try find out the cause of this.