0

Disclosure: I am a developer and not a security expert

I am working on a Wordpress site for a client who is (understandably) concerned about WP security. The client will be hosting the site on their own infrastructure and their IT department that manages their servers is asking me to configure SFTP. This was raised when I gave the webserver (www-data) ownership over the WP site files.

One of the things that made me even question the benefit of SFTP was realising that you store the SFTP credentials and key details in the WP-config.php file.

The concern here, in my opinion, was that if there was a vulnerability that was exploited and the hacker managed to compromise the WP installation, they can obtain these SFTP credentials with a single line of code (file_get_contents (ABSPATH . "wp-config.php");)

So my questions is: If the server itself has no external FTP access due to their firewalls, what is the benefit of SFTP over FTP? I've read numerous nightmare issues with debugging SFTP errors with Wordpress so I'm reluctant to do so.

Daniel
  • 103
  • 3
  • That's what I thought, so if there is no FTP traffic, then SFTP won't make a difference? – Daniel May 15 '17 at 13:44
  • one obvious advantage is protection against MITM (even if it is their own infra.. If there are many employees that could be understandable) – niilzon May 15 '17 at 13:48
  • Fair enough @niilzon, if I look at webmin on the server, the FTP module isn't installed so would this still be a concern? – Daniel May 15 '17 at 13:50
  • I never deployed wordpress (ironically.. Due to its security issues never picked it !) so I can't answer your comment. But they could use FTP on the machine without using Wordpress' module to handle FTP. This also means, in the case of SFTP, that the private key would be stored elsewhere (as in : in a dir not accessible by wordpress) and a website compromise would not compromise the certificate. ALSO, if they use cert+password, stealing the cert would have no effect until the password gets compromised. So basically the security is enhanced. – niilzon May 15 '17 at 14:01
  • Ahhh, I see.. Well that alone makes a case for it, thanks @niilzon. – Daniel May 15 '17 at 14:02
  • Note that then, they would setup the SFTP, not you, so the request is a little strange. I'd discuss the matter directly with them to clarify : better look like a fool than making mistakes :) – niilzon May 15 '17 at 14:08

1 Answers1

0

Um, I think your really confused about the technologies in use. you do not use FTP at all when using SFTP. Sftp is using an SSH connection between server and client and uses the sftp protocol for the file handling. (so no ftp is being used at all).

SSH is a proven reliable and secure remote shell protocol that always multiple methodologies to not only encrypt but also to identify connections and user-sessions. You should always use a Public / Private key when using SSH for added security, but even without it SSH allready protects against MiTM and server-spoofing

(it 'knowns' the public key hash of the server after the initial connection and there for knowns when that is different and warns when that is the case).

this is all asuming you use SFTP to pull in an update.

When you push updates to your wordpress the whole security profile changes. SSH by default stores your acces permsissions in a location athat is NOT accesable by your website (the users's home or the systtesms shadow file) Also you can setup your acces in such a way that the SFTP connection is 'jailed'.

This means that the 'shell' only has acces permissions to a very limited subset of the filesystem and to none of the systems file or tools outside what is configured.

The way you are describing 'SFTP' sounds like FTPS, or TLS+FTP. that would mean that there is a FTP deamon running on the server that also has TLS capabilities (just like a HTTP deamon would have to server HTTPS sites)

Even in that situation you could have additional security from using FTPS but it is a lot harder to configure, and has all the drawbacks of FTP.

LvB
  • 8,217
  • 1
  • 26
  • 43
  • Thanks! It's very likely I'm confused here - forgive my ignorance. So using SFTP, given the ability to "jail" the certificates, would make Wordpress' downloading of core updates more secure? – Daniel May 15 '17 at 14:14
  • it all depands on whwat directing your talking about, for pulling in update from sites like update.'wordpress.org' your insuring that the server is genuine and not spoofed. this is becouse of Public key cryptograpfics that SSH uses. when its code coming from the developer to the wordpress site, than the jails come into play. and ia it part of a good and proper security system on part of the hoster. (FTP is not secure and susceptible to manupulation (even in transit) and should be avoided if at all possible, ftps is more secure but just a pain especially when compared to sftp) – LvB May 15 '17 at 14:19
  • Ok, then your and Niilzon's answer has changed my stance, thank you. That alone is enough information to justify them enabling it! – Daniel May 15 '17 at 14:20