undefined | Better HN

0 pointsdave1010uk14y ago0 comments

Turning off the ability to execute arbirary code on your server through your webserver will also stop WordPress from being able to get security updates out to the millions of sites using it.

While I much prefer going through SHH to manage my sites, there are likely 10x as many WP sites run by people who can only FTP. There isn't really an ideal solution in this situation (apart from education) so I think allowing easy updates by having weaker security may be best. Maybe there is a better solution that still works for FTP. If so, file a ticket.

The WordPress Codex is a wiki and it looks like the docs on security could do with some improvements - sign up and help out.

0 comments

2 comments · 1 top-level

nbpoole14y ago· 1 in thread

You're confusing the issue. This isn't about SSH versus FTP: it's about whether or not the Apache user running your website can also write to the filesystem inside of your document root. The Wordpress update feature is actually able to use FTP as the means of updating the site.

dave1010ukOP14y ago

That's true; I was oversimplifying the issue. Most shared hosting web hosts run PHP files with the same user that you FTP with. If WP can't update itself in these cases then the user cannot write files via FTP. If a user connects via SSH then chances are they are comfortable changing directory permissions to do an update.

j / k navigate · click thread line to collapse