[CDBUG-talk] FTP user for Wordpress Management

freebsd at fongaboo.com freebsd at fongaboo.com
Wed Aug 17 11:26:56 EDT 2016 

I managed to create a user that is FTP-only and not chrooted (as far as 
ProFTPd is concerned).

However when I try to do a plugin update from the Wordpress dashboard, it 
still fails. I've FTP'ed manually into the plugin directory corresponding 
to the plugin I'm trying to update and managed to edit a file in-place in 
that directory, so it would seem the permissions I've set are providing 
the expected results.

But at this point I am not sure what is failing exactly and I'm not sure 
what I can monitor to find out. I've tried looking at 
/var/log/ftpdebug.log, but no matter what I seem to do, I only get entries 
pertaining to initial login.

This is what the logging section of my proftpd.conf file looks like:

Extendedlog     /var/log/ftpdebug.log   AUTH

DebugLevel      10


I believe it was originally at 2, but raising it doesn't seem to increase 
verbosity at all.

Alternately, is there any kind of log I could debug on the PHP side of 
things to see exactly what is being attempted by the dashboard when I 
initiate a plugin update?


On Mon, 15 Aug 2016, freebsd at fongaboo.com wrote:

>
> Thanks for helping me walk this all through... Yeah this is definitely the 
> case of finding the lesser evil between atrophied Wordpress and plugin PHP 
> code and the perils of FTP.
>
> You make a great point that since the PHP-based FTP client is run on the 
> server by apache, there is no need to traverse the NIC and localhost can be 
> used as the hostname. In which case, I'm wondering if I can somehow force 
> Wordpress to only be able to connect to localhost?
>
>
> On Mon, 15 Aug 2016, Patrick Muldoon wrote:
>
>> 
>>> On Aug 15, 2016, at 10:47 AM, Jaime <jaime at snowmoon.com> wrote:
>>> 
>>> On Monday, August 15, 2016, Dustin J. Mitchell <dustin at v.igoro.us> wrote:
>>> To be fair, just about any wordpress installation is so ridiculously 
>>> insecure that this hardly matters.  The sites themselves are almost never 
>>> behind SSL..
>>> 
>>> That sounds a lot like, "My cholesterol is so high that it doesn't matter 
>>> if I stop eating salted lard or not."
>>> 
>>> You have to start somewhere.
>> 
>> Have any you actually met your average user that wants  webhosting?  For a 
>> non trivial amount of them FTP is challenge, hence the want to use 
>> Wordpress so they can drag/drool their way through it. And in mass hosting 
>> giving the above person shell access is horrible.
>> 
>> And from what I've seen, that majority of hosting works this way.
>> 
>> Customer pays "web developer" a dumb amount of money for a website. "Web 
>> developer" installs WP, and a template. Then basically GTFOs.  Customer 
>> uses WP-ADMIN to add content, etc... Never updating anything (this is 
>> better now, but developers choice of sketchy plugins still an issue).  Site 
>> gets compromised,  Fight between Developer and Customer cause Customer 
>> didn't pay for the maintenance, customer gets new "developer", lather, 
>> rinse, repeat...
>> 
>> :)
>> 
>> Now that being said it is entirely possible to use FTPS/SFTP for all the 
>> interactions off net and just run an FTP server on localhost for the tool 
>> to interact with each WP instance.  If someone sniffs your password on 
>> localhost, then you've got way more issues than SSL is going to solve..
>> 
>> -Patrick
>> 
>> --
>> Patrick Muldoon
>> Network/Software Engineer
>> INOC (http://www.inoc.net)
>> 
>> Don't try to out-weird me, three eyes. I get weirder things than you in my 
>> breakfast cereal.
>>    - Zaphod Beeblebrox, The Hitchhiker's Guide to the Galaxy
>> 
>> _______________________________________________
>> CDBUG-talk mailing list
>> CDBUG-talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
>> 
>
> _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
>

More information about the CDBUG-talk mailing list