How do SFTP/ SSH security tools protect your site (r)

Sep 24, 2024

-sidebar-toc> -language-notice>

To combat these threats To combat these threats, the implementation of sophisticated SFTP and SSH security options is vital. We have released more security features that can help improve your WordPress security. This includes:

Let's explore each of these options, and provide an example of how they will assist you in managing and safeguard your website.

1. Different database and SFTP/SSH access to your environment

We're always seeking ways to aid you in avoiding any security risks. A good practice is to avoid making the same login credentials available across multiple services and website environments.

Today, every website hosted by the host has a distinct database and SFTP/SSH access credentials. So, every staging area as well as the live one will be able to access different information.

Additionally change the passwords in one system won't impact an additional one. The separation ensures that changes in access control are kept within the setting, which increases overall security.

If a developer relocates their location or you require temporarily grant access to a different IP address, you are able to update the allowlist accordingly. The access will remain only restricted to trustworthy sites, thereby protecting you from unauthorized access attempts.

IP allowlists are managed on the site information page of My, found under WordPress Sites > sitename > Information.

There is an edit button on the SSH/SFTP as well as Access to databases panel just to the left of the IP Allowlist label. Click that icon to begin adding or deleting IP addresses that are permitted to access your phpMyAdmin database. You can also connect via shell or SFTP access:

Clicking the edit icon to manage an SFTP/SSH and database IP allowlist — Editing the icon is a good way to edit an SFTP/SSH or the database IP permitlist.

Clicking the allowlist edit icon within either panel will trigger an Update IP allowlist dialog, similar to that below:

Adding an IP address to an allowlist in My — Add an IP address to an allowlist in My.

It is possible to create an Allowlist by putting legitimate IP addresses (Example: 45.229.77.9/32) in the Add IP addresses field and pressing to click the add button. It is also possible to add several IP addresses simultaneously by separating them with commas.

When an allowlist is active in relation to databases or SFTP/SSH the permitted IPs will be listed:

This IP allowlist field indicates the number of allowed IPs — This IP allowlist field will show the allowed IPs.

You may also eliminate addresses from the IP allowlist by using the trashcan icon next to specific entries, or using checkboxes to select entries in the list before clicking the red Remove IP address(es) button.

The benefit of this option is that criminals and actors who are not on the allowlist won't be able to attempt to log in.

3. Enhanced password protections for SFTP/SSH

The ability to distinguish access for all environments and restrict logins by IP address are useful security improvements, however, you might need even more. In particular, there could be situations where you have temporarily access to a developer or other third-party services. You may not remember to eliminate the individual from the approved IP list when their work has been completed. This is where enhanced SFTP password controls come into play.

As a default, passwords generated within My to access SFTP/SSH do not automatically expire. Thanks to our latest security improvements You can now select on the Edit (pencil) icon next to the expiration date label to choose an automatic expiry option:

Choosing an expiration period for SFTP/SSH passwords — The choice of an expiration date for SFTP/SSH passwords.

When you enable automatic expiry, 's system will generate a new password when you reach the end of your chosen period. It is possible to access the new password by revealing it or copying it on the SFTP/SSH panel.

In addition, we now are faced with more difficult passwords. The default or generated passwords have become more complicated which makes passwords more difficult to decipher or break. Complex passwords typically include both lower and uppercase characters, as well as numbers and special characters. This makes them significantly stronger against brute-force attacks.

4. SFTP connection shortcuts

Imagine you are managing multiple WordPress environments within , such as staging and production. Each environment requires unique SFTP settings for access. If you don't have connection shortcuts, you must manually enter and confirm these settings on your SFTP client each time you connect.

The new SFTP connection shortcuts, you are able to download configuration files of each environment and load these into your SFTP client. This will ensure that all parameters are accurate and drastically minimizes time and energy necessary to create secure connections.

The Site Information page in My site, located beneath WordPress Sites > sitename > Information, select the download icon beside the FTP client configuration files label to download these documents as ZIP archives. In the archive, you'll discover the following files:

Contents of a client configuration ZIP file.

These file formats can be adapted to different client software; the name already suggests the perfect client. Example:

.xml is supported by FileZilla.
.csv can be used in the Terminus.
.duck files are pretty much exclusive to Cyberduck.

5. Option to turn off SFTP/SSH

Just completed a major update to your WordPress website. You're likely to use SFTP and SSH for these modifications. Once the update is finished and you are ready to turn off SFTP as well as SSH access until the next time you need them. This way, even if someone attempts to connect with fraudulent credentials, they'll not be able to connect since the service is not functioning.

A lot of our customers have asked for this feature in the past We're happy to be able to offer it. decreasing the risk of attack on sites.

On the page titled Site Information page in My, If SFTP/SSH is currently activated, you'll notice an Disable button located in the upper right corner of the panel. If you press the button, you will be prompted to confirm the change:

A user is asked to confirm disabling SFTP/SSH access to a WordPress environment — The user will be asked to confirm disabling SSH/SFTP access in an WordPress setting.

If SFTP/SSH is not enabled for websites, specific configuration information isn't relevant therefore the whole SFTP/SSH screen is greyed out. An Enable button replaces the button to disable. button:

With SFTP/SSH disabled, the Enable button allows you to reverse that status — With SFTP/SSH disabled, the Enable button allows you to reverse that situation.

This is especially useful if you only occasionally use these protocols for up-dates or maintenance.

6. Ability to only use SFTP/SSH with an SSH key

As a default, passwords as well as SSH key pairs allow for authenticating SSH/SFTP access to WordPress environment at . Yet, a lot of our clients have expressed concerns about the security of access via passwords, and they prefer the robustness of SSH authenticating keys.

Why do you need SSH keys? SSH keys comprise a set of cryptographic keys used for authenticating the user. SSH keys are nearly impossible to crack, as opposed to passwords that can be identified or compromised. This makes them a much safer method of logging in.

You can also add a additional layer of protection by creating a passphrase for your SSH key. It means that if someone gains the access key to you, they will still need the passphrase to use it, providing extra protection.

Click the edit (pencil) icon beside the Methods of authentication label to deactivate or re-enable password authentication. The prompt will appear as follows:

Key-based authentication will always be possible as long as SSH/SFTP is turned on. You are able to choose or uncheck the password option before clicking the save changes button.

What's the ultimate goal of these security enhancements?

We're serious about security at . The ultimate goal of these security enhancements is to provide a comprehensive and robust security framework for your WordPress site.

With the implementation of these sophisticated SSH and SFTP tools, we are aiming to accomplish a number of key goals:

Limiting the vulnerability Every one of these enhancements addresses specific vulnerabilities associated with remote access, password management and unauthorised login attempts. In strengthening these areas we significantly reduce the potential attack vectors that malicious actors could utilize.
Enhancing protection This feature works together to create numerous layers of security. From the use of complex and auto-expiring passwords to the application of IP account login limitations and key-based SSH authentication Each layer creates a barrier against unauthorized access.
Improved management Security shouldn't come at the expense of usability. Tools such as SFTP connection shortcuts and the capability to control authentication methods through My help site administrators to implement and sustain robust security procedures while preserving convenience.
Ensuring flexibility With choices like disabling access to SFTP/SSH, and establishing distinct credentials for staging and real-time environments, we offer options that meet a variety of demands of operations, while maintaining security requirements.
Building confidence Being confident that your WordPress website is secure thanks to the latest security features allows you to focus on the development and maintenance of your site with no worry over potential security threats.

Summary

The advanced security options ensure the security of your WordPress website, giving you peace of mind while allows you to concentrate on what truly matters: developing and maintaining your WordPress site.

Joel Olawanle

Joel is a Frontend developer working at as Technical Editor. He is a passionate teacher with love for open source and has written over 300 technical articles majorly around JavaScript as well as its frameworks.

What's in a name? How do you spell Ecommerce -