[CDBUG-talk] FTP user for Wordpress Management
freebsd at fongaboo.com
freebsd at fongaboo.com
Wed Aug 17 11:26:56 EDT 2016
I managed to create a user that is FTP-only and not chrooted (as far as
ProFTPd is concerned).
However when I try to do a plugin update from the Wordpress dashboard, it
still fails. I've FTP'ed manually into the plugin directory corresponding
to the plugin I'm trying to update and managed to edit a file in-place in
that directory, so it would seem the permissions I've set are providing
the expected results.
But at this point I am not sure what is failing exactly and I'm not sure
what I can monitor to find out. I've tried looking at
/var/log/ftpdebug.log, but no matter what I seem to do, I only get entries
pertaining to initial login.
This is what the logging section of my proftpd.conf file looks like:
Extendedlog /var/log/ftpdebug.log AUTH
I believe it was originally at 2, but raising it doesn't seem to increase
verbosity at all.
Alternately, is there any kind of log I could debug on the PHP side of
things to see exactly what is being attempted by the dashboard when I
initiate a plugin update?
On Mon, 15 Aug 2016, freebsd at fongaboo.com wrote:
> Thanks for helping me walk this all through... Yeah this is definitely the
> case of finding the lesser evil between atrophied Wordpress and plugin PHP
> code and the perils of FTP.
> You make a great point that since the PHP-based FTP client is run on the
> server by apache, there is no need to traverse the NIC and localhost can be
> used as the hostname. In which case, I'm wondering if I can somehow force
> Wordpress to only be able to connect to localhost?
> On Mon, 15 Aug 2016, Patrick Muldoon wrote:
>>> On Aug 15, 2016, at 10:47 AM, Jaime <jaime at snowmoon.com> wrote:
>>> On Monday, August 15, 2016, Dustin J. Mitchell <dustin at v.igoro.us> wrote:
>>> To be fair, just about any wordpress installation is so ridiculously
>>> insecure that this hardly matters. The sites themselves are almost never
>>> behind SSL..
>>> That sounds a lot like, "My cholesterol is so high that it doesn't matter
>>> if I stop eating salted lard or not."
>>> You have to start somewhere.
>> Have any you actually met your average user that wants webhosting? For a
>> non trivial amount of them FTP is challenge, hence the want to use
>> Wordpress so they can drag/drool their way through it. And in mass hosting
>> giving the above person shell access is horrible.
>> And from what I've seen, that majority of hosting works this way.
>> Customer pays "web developer" a dumb amount of money for a website. "Web
>> developer" installs WP, and a template. Then basically GTFOs. Customer
>> uses WP-ADMIN to add content, etc... Never updating anything (this is
>> better now, but developers choice of sketchy plugins still an issue). Site
>> gets compromised, Fight between Developer and Customer cause Customer
>> didn't pay for the maintenance, customer gets new "developer", lather,
>> rinse, repeat...
>> Now that being said it is entirely possible to use FTPS/SFTP for all the
>> interactions off net and just run an FTP server on localhost for the tool
>> to interact with each WP instance. If someone sniffs your password on
>> localhost, then you've got way more issues than SSL is going to solve..
>> Patrick Muldoon
>> Network/Software Engineer
>> INOC (http://www.inoc.net)
>> Don't try to out-weird me, three eyes. I get weirder things than you in my
>> breakfast cereal.
>> - Zaphod Beeblebrox, The Hitchhiker's Guide to the Galaxy
>> CDBUG-talk mailing list
>> CDBUG-talk at lists.nycbug.org
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
More information about the CDBUG-talk