Setting up FTPS using vsftpd for Wordpress plugins auto upgrade
One of the handy features in the latest Wordpress is the support to upgrade plugins in one click through the Wordpress administration interface. It needs FTP or FTPS access to the server where you have hosted your Wordpress installation. But turning on FTP for users (non-anonymous) is a bad idea. Using FTP involves transferring user passwords as plain text during authentication. This is a great security concern and the primary reason for why one shouldn't turn on FTP for user accounts. However, Wordpress also supports FTPS, FTP over SSL. This shouldn't be confused with SSH FTP or Secure FTP. FTPS uses TLS or SSL for authentication and commands. Let us see how to setup FTPS on a server using vsftpd.
Using the package manager for your distribution, install vsftpd. On Debian and Ubuntu, it can be installed by the following command.
$ sudo apt-get install vsftpd
Edit /etc/vsftpd.conf and do the following.
Uncomment local_enable and write_enable lines
# Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES
Override the umask for local users to 022 by uncommenting the local_umask line
# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022
NOTE: Failing to do this, will make the plugin directory unreadable by your webserver and you will start getting PHP include errors. If this happens, you have to disable the plugin and remove the directory or change the permission of the directory to 755.
Turn on SSL by adding the following lines. This is disable plain FTP and allow only FTPS
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES
It is assumed that the RSA certificate and key are in the standard locations /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key respectively. If not, create these and put them there.
# This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # This option specifies the location of the RSA key to use for SSL # encrypted connections. rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Restart vsftpd by issuing the following command.
$ sudo /etc/init.d/vsftpd restart
Now your vsftpd is ready to serve FTPS connections.