WordPress is asking for my FTP password to update. Is this official behavior or am I compromised?

Question

I'm running a personal WordPress server and I have 3 pending updates:

WP update from 4.2.2 to 4.3.1.
Akismet plugin update to 3.1.5 which addresses XSS issues.
Twenty-fifteen theme update.

For each of these update types, WP is prompting for my FTP password. The page looks clean and there is an assurance (?) that my password will not be stored anywhere. The HTTP headers look clean but I can't be sure as I'm not really a security professional and I have very basic protection on my personal website server; not production-quality server toughness.

However, I'm still wary about all this. Why, after all this time, will WP suddenly need my FTP credentials? Moreover, I can't find any official mention that WP will now be asking for my FTP credentials for updates. Lastly, even if this is official and secure, isn't this vulnerable to man-in-the-middle attacks? My credentials can still end up in the wrong hands.

Or am I compromised? How do you suggest I address this? The updates are still pending and I have not given my FTP credentials.

score 1 · Accepted Answer · answered Oct 16 '15 at 23:14

1

Wordpress asks for FTP credentials when it does not have write permissions to the Wordpress installation during installations or upgrades.

To avoid having issues with Wordpress asking for FTP, simply change the privileges of the Wordpress installation so that the user that the webserver is running under can write to the Wordpress installation.

answered Oct 16 '15 at 23:14

TearsOnTheMoon

68
4

1

I think not letting WP have write access to its install by default is safer. – Neil Smithline Oct 17 '15 at 00:47
Not sure about this because this allows automatic (security) updates. – Daniel Ruf Dec 02 '15 at 23:24

WordPress is asking for my FTP password to update. Is this official behavior or am I compromised?

1 Answers1