This is a complete guide for setting up WordPress to do secure ftps updates under Ubuntu, tested under Ubuntu 10.10. I assume you have a working WordPress installation and sudo access on the server. If you have any ideas for improving the security of this, please let me know and I’ll update the guide.
Install the vsftp server software:
sudo apt-get install vsftpd
Edit the configuration file for vsftpd to enable ftps:
sudo vi /etc/vsftpd.conf
The following is my entire vsftp.conf file; I shut down anonymous access and even changed the port that vsftpd listens on to throw off low-level script attacks. I stripped out all the nice comments in the file to make this howto a bit more readable. If you paste this in be sure to delete everything else or make sure there aren’t any duplications:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
connect_from_port_20=NO
listen_port=2112
Now start the vsftp server:
sudo start vsftpd
Add a bit of code to the wp-config file to enable uploads:
sudo vi /var/www/wp-config.php
Add the following code to the end:
if(is_admin()) {
add_filter('filesystem_method', create_function('$a', 'return "direct";' ));
define( 'FS_CHMOD_DIR', 0751 );
}
Now create the ftps user, making their default directory our web directory:
sudo adduser ftps --home /var/www
NOTE: Don’t worry about the warning about the home directory and give the ftps user a good, solid password. Use nonsense words, spaces, and characters like %,$,#. Store the password somewhere safe as you’ll be using this user and password to update WordPress.
Add the ftps user to the www-data group:
sudo vi /etc/group
In that file look for this line:
www-data:x:33:
and add the ftps user to the group by adding ‘ftps’ to the end of that line:
www-data:x:33:ftps
Change the www directory and all files in it to be owned by the www-data group
sudo chgrp -R www-data /var/www
Make the www directory writable by the www-data group
sudo chmod -R g+w /var/www
You can now do updates automatically. Host is the name of your website, plus the following “:2112″ – so if your website was foobar.com, you’d do this:
foobar.com:2112
Username is “ftps” and the password is what you chose earlier. Be sure to select “ftps” as the option. Enjoy!