Automatic WordPress Updates Using Ftp/ftps or SSH

Introduction

When working with WordPress on a more secure environment

Where websites is not entirely world-writable,

You'll notice upgrades request FTP or FTPS credentials

As the server itself does not typically has write access in properly-configured environments.

Entering these credentials for every upgrade can become quite tedious,

And WordPress has implemented some constants

You can define within wp-config.php to make upgrades automatic.

It should be noted this is the can also make upgrades automatic

By setting the file ownership of all files within the WordPress directory

To the same user/group under which the webserver is running.

This is horrible SECURITY practice!

While storing your FTP credentials for a specific user can also is considered insecure in certain instances,

It can be a very safe method to automate WordPress updates under the proper conditions.

Some general considerations which can make stored credentials MUCH more secure include:

Ftp:

1. Creating a separate user and restricting it access to only allow connections from localhost
2. Ensuring your FTP daemon is ' chrooting ' the user to their own directory only
3. Configuring your FTP daemon to listen only on localhost, thus preventing external connections
4. Using something more secure than FTP, such as Ssh-yes, we realize the one does not actually improve FTP security

Ssh:

1. Creating A separate user (usually an alias with the same UID, different GID) and
Restricting access to only localhost for this specific user in sshd_config with the allowhosts option
2. Creating Some advanced SSH configuration such as chrooted sftp-only users
3. Using public key authentication, which can further secured
By specifying a "from" address in the user ' s Authorized_keys file

There is several other ways one can make their Ftp/ftps or SSH setup more secure,
But they is far beyond the scope of this post and can vary greatly in their application
Due to the hosting environment and several other factors.
We is going to assume your ' re already working with a secure setup for the purposes of this guide.

WordPress Upgrade Constants

From the WordPress Codex, the following constants is available to define FTP and SSH credentials in wp-config.php:

Fs_method

This setting forces the filesystem (or connection) method, and your probably won ' t need to adjust or define it.
It can be one of the: "Direct", "Ssh2″," "Ftpext", or "ftpsockets".

WordPress would automatically determine the proper method using the following preferential order:
-(Primary Preference) "Direct" causes the use of direct file I/O requests from within PHP,
But this requires the webserver to has write access to your WordPress installation, which are not recommended.
This setting is chosen automatically when the permissions allow.
-(secondary Preference) "Ssh2″allows forcing usage of the SSH2 PHP extension if installed (via PECL).
-(3rd Preference) "Ftpext" allows forcing the usage of the FTP PHP extension (this was usually the default when you connect Via Ftp/ftps).
-(4th Preference) "Ftpsockets" utilizes the PHP Sockets class for FTP access (far less common, but can resolve FTP connect Ion issues in rare cases).

Ftp_base is the full path to the "BASE" (absolute path) folder of your WordPress installation.

Ftp_content_dir is the full path to the Wp-content folder of your WordPress installation.

Ftp_plugin_dir is the full path to the plugins folder of your WordPress installation.

Ftp_pubkey is the full path to your SSH public key.

Ftp_prikey is the full path to your SSH private key.

Ftp_user is either your FTP or SSH username, depending on which method.

Ftp_pass is the password for the username entered for Ftp_user. If you are using the SSH public key authentication, the This can is left blank.

Ftp_host is the hostname[:p ORT] combination for your SSH/FTP server.
The default FTP port is + and the default SSH port is 22.
You have need to specify the port if using a non-standard one.

Ftp_ssl is only for FTPS connections, and should isn't be defined
Unless you has already configured your FTP daemon to support TLS.
Note–sftp is isn't the same thing, so make sure to do not confuse the other.

Here's a example of the most common configuration options with sample values so you can see the proper method of defining them within wp-config.php:

Define (' Fs_method ', ' Ftpext ');d efine (' ftp_base ', '/path/to/wordpress/');d efine (' Ftp_content_dir ', '/path/to/ wordpress/wp-content/');d efine (' Ftp_plugin_dir ', '/path/to/wordpress/wp-content/plugins/');d efine (' FTP_PUBKEY '), '/home/username/.ssh/id_rsa.pub ');d efine (' Ftp_prikey ', '/home/username/.ssh/id_rsa ');d efine (' FTP_USER ', ' Username ');d efine (' ftp_pass ', ' password ');d efine (' ftp_host ', ' ftp.example.org ');d efine (' Ftp_ssl ', false);

To configure FTP/FTPS, your simply define the necessary constants from the list above in wp-config.php.
A minimal configuration requires at least
Ftp_base, Ftp_user, Ftp_pass and ftp_host (usually 127.0.0.1).
Enter These required constants, also adding Ftp_ssl (true) if using FTPS,
Then your next upgrades should is automatic,
And you should no longer is prompted to enter these details.

Enabling SSH support in WordPress Using the PECL SSH2 extension

Most users is not aware of this, but WordPress already supports SSH connections in addition to FTP/FTPS by simply Enablin G The SSH2 extension in PHP. Let's begin by installing the SSH2 extension via PECL.

On Rhel/centos, you'll need the Php-devel, php-pear and libssh2/libssh2-devel packages and a working compiler/developmen T libraries if you installed PHP via Yum (rpm-based installation):

# yum Install php-devel php-pear gcc gcc-c++ make automake autoconf pcre-devel re2c libssh2 libssh2-devel

With the necessary prerequisites installed, you can now use the CLI tool ' pecl ' to automagically install the extension for You:

# pecl Install ssh2-0.12

The reason we need to define the version here's to avoid a error message about the extension being in "beta," since ther E was never a release of this particular extension, was labeled as "stable." Once the installation completes successfully, you'll be presented with a success message that instructs you to enable the Extension in php.ini. When using CentOS, each extension's INI file is stored separately from the main php.ini for cleanliness and easy addition/ Removal of extensions. To Update/etc/php.d/ssh2.ini, we'll use the following command:

# echo "extension=ssh2.so" >/etc/php.d/ssh2.ini

Now, running ' php-m ' should show the SSH2 extension in the list of extensions. If you see it there, you must now restart your PHP processor (we ' ll assume it's Apache):

#/etc/init.d/httpd Restart

You now have the SSH2 extension installed and enabled. If you had not already entered no constants in wp-config.php, you can attempt an upgrade or plugin Installation/deletion And you'll now see a new radio button this says SSH, in addition to the FTP and FTPS choices your ' ve always had. To complete this configuration, you can now just enter the same minimal options used above, possibly including the Fs_meth OD constant (SSH2) to ensure only SSH connections is attempted. However, we assume you would rather use the most secure method can, so let's configure SSH with public key Authenticat Ion.

We ll start by generating a public/private keypair, which we'll later define in wp-config.php:

# ssh-keygen-t Rsa-b 4096Generating public/private RSA key pair. Enter file in which to save the key (/ROOT/.SSH/ID_RSA):/home/user1/wp_rsaenter passphrase (empty for no passphrase): Ente R same Passphrase Again:your identification has been saved In/home/user1/wp_rsa. Your public key has been saved in/home/user1/wp_rsa.pub.the key fingerprint is:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx [email protected]

The location of the keys should being somewhere outside of your webroot, so the user's home directory is usually a safe choic E. You should not enter a password here, as there has been many issues getting passworded SSH keys to work properly with Wordpress. After creating the keypair, we need to make it readable by the webserver (we ' ll assume your webserver runs under the "APAC He "user for simplicity):

# chown user1:apache/home/user1/wp_rsa# chown user1:apache/home/user1/wp_rsa.pub# chmod 0640/home/user1/wp_rsa# chmod 0640/home/user1/wp_rsa.pub

Next, you just need to edit wp_rsa.pub to specify the ' from= ' option and add the contents to the Authorized_keys file in/ Home/user1/.ssh/authorized_keys:

# vim/home/user1/wp_rsa.pub

You can use the whichever editor (vi, Nano, emacs, etc), so there ' s no need to cry. Once you ' ve opened the file, add the following ' from= ' restriction on the beginning of the line (there should is only one Very long line) right before Ssh-rsa and the key data:

From= "127.0.0.1" Ssh-rsa ...

Now, we can actually place the public key ' s contents in the user's Authorized_keys file:

# mkdir/home/user1/.ssh# Chown user1:user1/home/user1/.ssh/# chmod 0700/home/user1/.ssh/# cat/home/user1/wp_rsa.pub & gt;>/home/user1/.ssh/authorized_keys# chown user1:user1/home/user1/.ssh/authorized_keys# chmod 0644/home/user1/ . Ssh/authorized_keys

As long as Pubkeyauthentication is enabled with Sshd_config (default), you should now are ready to configure wp-config.php fo R Automatic SSH Upgrades:

Define (' Ftp_pubkey ', '/home/user1/wp_rsa.pub ');d efine (' Ftp_prikey ', '/home/user1/wp_rsa ');d efine (' Ftp_user ', ' User1 ');d efine (' Ftp_pass ', ');d efine (' ftp_host ', ' 127.0.0.1:22 ');

From now on, installing/removing/upgrading WordPress and it plugins should no longer prompt you for credentials. Happy blogging!

Automatic WordPress Updates Using Ftp/ftps or SSH