[CDBUG-talk] FTP user for Wordpress Management

freebsd at fongaboo.com freebsd at fongaboo.com
Mon Aug 15 14:49:09 EDT 2016 

Thanks for helping me walk this all through... Yeah this is definitely the 
case of finding the lesser evil between atrophied Wordpress and plugin PHP 
code and the perils of FTP.

You make a great point that since the PHP-based FTP client is run on the 
server by apache, there is no need to traverse the NIC and localhost can 
be used as the hostname. In which case, I'm wondering if I can somehow 
force Wordpress to only be able to connect to localhost?


On Mon, 15 Aug 2016, Patrick Muldoon wrote:

>
>> On Aug 15, 2016, at 10:47 AM, Jaime <jaime at snowmoon.com> wrote:
>>
>> On Monday, August 15, 2016, Dustin J. Mitchell <dustin at v.igoro.us> wrote:
>> To be fair, just about any wordpress installation is so ridiculously insecure that this hardly matters.  The sites themselves are almost never behind SSL..
>>
>> That sounds a lot like, "My cholesterol is so high that it doesn't matter if I stop eating salted lard or not."
>>
>> You have to start somewhere.
>
> Have any you actually met your average user that wants  webhosting?  For a non trivial amount of them FTP is challenge, hence the want to use Wordpress so they can drag/drool their way through it. And in mass hosting giving the above person shell access is horrible.
>
> And from what I've seen, that majority of hosting works this way.
>
> Customer pays "web developer" a dumb amount of money for a website. "Web developer" installs WP, and a template. Then basically GTFOs.  Customer uses WP-ADMIN to add content, etc... Never updating anything (this is better now, but developers choice of sketchy plugins still an issue).  Site gets compromised,  Fight between Developer and Customer cause Customer didn't pay for the maintenance, customer gets new "developer", lather, rinse, repeat...
>
> :)
>
> Now that being said it is entirely possible to use FTPS/SFTP for all the interactions off net and just run an FTP server on localhost for the tool to interact with each WP instance.  If someone sniffs your password on localhost, then you've got way more issues than SSL is going to solve..
>
> -Patrick
>
> --
> Patrick Muldoon
> Network/Software Engineer
> INOC (http://www.inoc.net)
>
> Don't try to out-weird me, three eyes. I get weirder things than you in my breakfast cereal.
>    - Zaphod Beeblebrox, The Hitchhiker's Guide to the Galaxy
>
> _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
>

More information about the CDBUG-talk mailing list