4. SFTP & SSH

Begin by selecting a site in Hub 2.0. From that site’s dashboard, click Hosting and then SFTP/SSH to access the SFTP/SSH Accounts screen.

The page includes the SFTP/SSH connection information for the current site and a list of the existing SFTP/SSH users. From this screen members can create and delete users or change the password(s) for existing users.

The information displayed includes:

• Connection Address (Host) – This is the URL used by WPMU DEV internally to identify your site and is the required URL for SFTP/SSH connections. Many FTP clients refer to the Connection Address as the Host.
• Port number – We use port 22 for SFTP & SSH connections. This port is closed by default on all WPMU DEV hosted sites and is opened only if one or more SFTP/SSH users have been created. If you require port 22 to be closed on your site, to ensure PCI compliance for example, please ensure you only create SFTP/SSH users when needed and delete them when their job is done.
• Username – The username(s) of both SFTP and SSH users that have been created for this site. If no users have been created, the list will be empty.
• Environment – During creation, SFTP/SSH users are given access to either a production (live) site or a staging site, and that status is displayed here.
• Type – These users are either SFTP or SSH, and that designation is displayed here.
• Path Restriction – The access granted to SFTP/SSH users can be restricted to certain areas of a site’s file structure. This label indicates the type of restriction, if any, has been placed on the user. The label None indicates a user with no restrictions and with access to all site files.
• Connection Info – A convenient link created to simplify the configuration necessary to connect to a WPMU DEV hosted site via SFTP/SSH.
• Edit Password (pencil icon) – Click the pencil icon to access the edit password modal. SFTP/SSH user passwords can be changed as necessary, but user names cannot changed after creation.
• Delete – Click the trash icon to open the delete user modal.

Click the Add User button and choose SFTP User or SSH User from the drop-down menu.

In the modal that appears, enter the username you’d like for this user. Then choose whether you want to use a Password or a Public SSH Key.

For a password, you can either use the strong password that is automatically generated, or enter a custom password.

If you want to use a public key instead and need help setting that up, see Creating SSH Keys below.

Environment

WPMU DEV members whose sites we host can create a staging copy of any production site where changes can be implemented and tested before they go live. Production sites and staging sites require separate SFTP/SSH users.

Use the Environment drop-down menu to associate the new user with the correct environment.

Path Restriction

SFTP/SSH users can be restricted to specific folders within the WordPress file structure. This might allow, for example, a graphic designer to access the Uploads folder where images are stored, while preventing that person from accessing files elsewhere.

Use the Path Restrictions drop-down menu to determine the scope of a new user’s access as follows:

• None – No restrictions. User can access all site files
• wp-content – Grants access to the wp-content folder, which contains all uploaded files, plugin files, theme files, the site index, and language files
• Plugins – Grants access to the Plugins folder only
• Themes – Grants access to the Themes folder only
• Uploads – Grants access to the Uploads folder only
• Custom – Grants access only to a custom directory inside the public_html directory that you specify in an additional field that appears when you select this option. See details below.

When you’re ready, click Add User and the new SFTP/SSH user will be created.

Custom Path

When you select to restrict user access to only a specific directory, you must ensure that:

• The directory already exists inside the public_html directory; this tool cannot create a directory for you.
• You enter only the path to that directory after public_html, without a trailing slash.
• You use only allowed characters in the path/directory name: (A-Z, a-z), digits (0-9), spaces, underscores (_), hyphens (-), or slashes (/).
• The entire custom path is no more than 120 characters long.

For example, let’s say the directory you wish to specify exists at this location: ~~~/public_html/wp-content/custom_path

You would enter only wp-content/custom_path in the field that appears when you select this option.

Note that if a user is created with a custom path and later that custom directory is deleted, the user account will remain active, but they will not see any files and won’t be able to upload files since the path/directory no longer exists. However, if the directory specified in the custom path is recreated later, the user will be able access and upload files again to that directory.

The following information, located near the top of the SFTP/SSH Accounts page, is required to connect SFTP/SSH users to a site:

• Connection Address (Host) – This is the URL used by WPMU DEV internally to identify the current site, and is frequently referred to as the Host or the Host Address. Regardless of how many domains may be associated with a given site, the Connection Address/Host displayed on the SFTP/SSH Accounts page is the only URL that can be used to connect to that site via SFTP/SSH.
• Port number – The port associated with the current site.
• Username – The username for the SFTP/SSH user being connected.
• Password – Click the pencil icon next to any SFTP/SSH user to view that user’s password.

These credentials must be entered into the relevant fields in an FTP client to connect to the site, as shown in this Filezilla example.

Quick Connect Link

Click the View Connection Info button next to any SFTP/SSH user to reveal a quick link created for that user.

The quick link, when copied into an FTP client or terminal application, identifies the site and the user to be connected.

The site’s port and SFTP/SSH user password are still required when using the quick link.

You can access and manage the files on your server using the File Manager. But as an advanced user, you might want to perform advanced tasks such as debugging, editing, or adding new files on your server using a code editor via SFTP.

In our managed hosting for WordPress, it is not possible to directly access the database except by using the Manage Database options in your Hub.

However, advanced users may have the need to access their database from some other client application. This is where SSH tunneling comes in handy.

SSH tunneling enables you to remotely connect to your site’s database and securely perform any needed tasks from within your preferred application.

Regardless of the application you use for an SSH tunnel, all you need is an SSH account and the access credentials to your database.

Step 1

Create an SSH user for the environment you need – production or staging – as detailed in Creating SFTP/SSH Users above. Then copy the following credentials as seen in Connection Info above:

• Connection Address (used for the hostname in most applications)
• Port (should always be 22)
• Username
• Password

Step 2

Access the wp-config.php file for the corresponding environment, and copy the following credentials (depending on the application you’re using, you may or may not need all of these; see the examples below):

• DB_HOST
• DB_USER
• DB_PASSWORD

Note that the DB_HOST includes both the localhost IP address (127.0.0.1) and the port needed to connect to your database. You’ll want to be sure to use the correct port for either your production or staging site’s database.

• Production port: 3306
• Staging port: 3307

You can access the wp-config.php file for your production environment using the Manage Files option found under the Tools tab in your Hub.

Access the wp-config.php file for your staging environment using the Manage Files option under the Staging tab in your Hub.

Note that if you need credentials for both environments, you can switch between production and staging directly in the File Manager once you’ve accessed it.

Step 3

Open your preferred desktop application and enter your SSH & database credentials. Of course, the interface will vary according to the application used, so we’ve provided a few setup examples below.

This chapter provides examples for creating a public SSH key using either of 2 methods:

• PuTTY for Windows
• Command Line for Windows, Mac or Linux

Regardless of the method you use to generate an SSH key, including a passphrase is optional. It is of course highly recommended to include one to prevent unauthorized use of your Public Key.

You’ll want to remember your chosen passphrase as you’ll need it when connecting using the public key you create. We recommend using a password manager like LastPass or similar.

Note that in some instances, you may want to create a key without a passphrase; for example, if you are creating one for CI/CD use.

PuTTY for Windows

We’ll assume you already have PuTTY installed on your computer.

1. Open the PuTTYgen Key Generator program.
2. Select RSA as the Type of key to generate at the bottom of the window.
3. Click the Generate button.

You’ll be prompted to move your mouse around the blank space to get some randomness, and will then see your new key displayed.

Enter and confirm the optional Key passphrase (or password) that you would like to use with your key in the fields provided.

Then click the Save public key and Save private key buttons, and save the files in a location of your choice on your computer.

Finally, copy the entire contents of the box under Public key for pasting into OpenSSH authorized_keys file, and paste that into the Public Key box in your Hub when adding or editing your SSH user. Then click Save or Update.

Now when you enter the quick connect link in your terminal or SSH app, your public key will be used for authentication.

Command LIne for Windows, Mac or Linux

In your terminal, shell or command prompt utility, Enter the following command.

ssh-keygen -t rsa

The tool will generate a public/private key pair and you’ll be prompted to accept the file location suggested, or enter a new location of your choice. Then click Enter.

You’ll then be prompted to enter & confirm the passphrase to use for your SSH key. Note that what you enter at this step will not be visible on-screen, so be sure to type accurately.

If no passphrase is needed, simply click Enter at each prompt without typing anything in.

You should then see confirmation that the key has been saved in the specified location.

Navigate to that .pub file on your computer and open it in a text or code editor.

Copy the entire contents of that file and paste it into the Public Key box in your Hub when adding or editing your SSH user. Then click Save or Update.

Now when you enter the quick connect link in your terminal or SSH app, your public key will be used for authentication.

If you still have questions or need assistance after reading this document, please don’t hesitate to contact our support superheroes using the available options under the Support tab in your Hub or via the Support tab in your WPMU DEV Dashboard.