wpCop compared the dangerous web protocol FTP with its wiser sibling, SFTP, in our Web Protocols 101. The good news, for once, is how super-simple SFTP is to implement. So no excuses. 😉
Let's protect those WordPress files.
SFTP from the command line
Linux and Mac users have an SFTP-enabled terminal. Very nice but GUI's (graphic user interfaces or the visible front-ends) are often more practical for file exploring and management and, besides, SFTP command line tutorials abound online and we have bigger fish to fry. Here's a reference, nonetheless:
SFTP using S/FTP clients
With an SFTP-capable FTP client, SFTP is easy to use once you have your SSL authentication keys in place. Just opt for SFTP and in the options, hook up the local private key that we created in WordPress Administration Using SSL.
For Macs, Cyberduck quacks happy by supporting SFTP, other protocols, and our keys. For Windows-based Tunneliers, again, there's a built-in SFTP option. If you really want to use another client then you can but be aware: some clients such as FileZilla will adapt your key and it will no longer be passphrase protected.
The terminal-SFTP option aside, once any of these SFTP clients point to your key, their practical usage is the same as using FTP or, for that matter, is akin to using a file explorer.
Connecting up an S/FTP client
Your private key may be found automatically by the SFTP client in which case just add a New Site in the regular way, specifying to use the SFTP protocol option. Because we're using the stronger keyset authentication method no password is required, making login a breeze.
If you cannot log in automatically then edit your client's SFTP settings to add the key. So hold on, where is it?
Oops, hidden content alert!
Please share for 24 hours nag-free! Thank U 🙂
Or subscribe for full content, support & no nags!
And that's it. Just as you would have done with FTP, now log in with SFTP, and be happy that your connection credentials are properly mashed up.
Hopefully by now you've realized just how important are secure web protocols to help defend WordPress, where possible swapping http for https Dashboard login and, in the process, making the switch from FTP to SFTP a very simple process (in practice if not in theory!) As we progress through wpCop we'll be taking full advantage of SSL and other protocols for a raft of WordPress tasks and this initial learning curve will continue to pay off.
The next logical step, though, is to give the WordPress database a hug, securing what are by default remarkably insecure tools: administrative control panels like phpMyAdmin, so click that link for some wholesome hints.