Praveen's Blog

An Eternal Quest for Incremental Improvement

Setting up FTPS using vsftpd for Wordpress plugins auto upgrade

One of the handy features in the latest Wordpress is the support to upgrade plugins in one click through the Wordpress administration interface. It needs FTP or FTPS access to the server where you have hosted your Wordpress installation. But turning on FTP for users (non-anonymous) is a bad idea. Using FTP involves transferring user passwords as plain text during authentication. This is a great security concern and the primary reason for why one shouldn't turn on FTP for user accounts. However, Wordpress also supports FTPS, FTP over SSL. This shouldn't be confused with SSH FTP or Secure FTP. FTPS uses TLS or SSL for authentication and commands. Let us see how to setup FTPS on a server using vsftpd.

Install vsftpd

Using the package manager for your distribution, install vsftpd. On Debian and Ubuntu, it can be installed by the following command.

$ sudo apt-get install vsftpd

Configure FTPS

Edit /etc/vsftpd.conf and do the following.

Comment out anonymous_enable line

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

Uncomment local_enable and write_enable lines

# Uncomment this to allow local users to log in.
# Uncomment this to enable any form of FTP write command.

Override the umask for local users to 022 by uncommenting the local_umask line

# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)

NOTE: Failing to do this, will make the plugin directory unreadable by your webserver and you will start getting PHP include errors. If this happens, you have to disable the plugin and remove the directory or change the permission of the directory to 755.

Turn on SSL by adding the following lines. This is disable plain FTP and allow only FTPS


It is assumed that the RSA certificate and key are in the standard locations /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key respectively. If not, create these and put them there.

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# This option specifies the location of the RSA key to use for SSL
# encrypted connections.

Restart vsftpd

Restart vsftpd by issuing the following command.

$ sudo /etc/init.d/vsftpd restart

Now your vsftpd is ready to serve FTPS connections.