Allow SFTP Access to all your WordPress Sites

You have many WordPress installations in a single folder. You want SFTP access to their parent folder, for easy wp-content replacement or anything else.

You might have come across the DO article on ‘How to Enable SFTP without Shell Access‘, and wondering how you could adapt the setup for your own. Here we go.

Let’s proceed with these assumptions:

1. You have all your wordpress installations in the folder, /var/www/wordpress
2. In there, you have /var/www/wordpress/website1, /var/www/wordpress/website2 etc.

In summary, here are the key points of what you would want to do:

• The folder, /var/www must be owned by root.
• The folder, /var/www/wordpress must be owned by www-data
  • www-data, because that’s what’s used for our WordPress installations, for easy access by Nginx
• We therefore set a file permission 755 on the /var/www folder, which is saying, only root would have read, write and execute access, but any other user would be able to read and execute.
• Then add the user to the www-data group.
• Last but not least, configure your sftp via your sshd_config

Now, the steps in detail.

Who Owns What

Usually, /var/www is created by default on any Nginx installed system.

We simply need to create our wordpress/ folder assuming they don’t exist and put our WordPress installations in there.

sudo mkdir -p /var/www/wordpress/website1

We change the /var/www/wordpress folder to be owned by www-data

sudo chown -R www-data:www-data /var/www/wordpress

Let’s therefore set the file permission on the /var/www assuming now already done

sudo chmod 755 /var/www

Next, let’s add our user to the www-data group

sudo usermod -a -G www-data user

SFTPness it All

Match User user
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

You’re done.

Conclusion

To test if our setup is working fine, simply try to log into the user like so via localhost

user@server:~$ ssh user@localhost
user@localhost's password: 
This service allows sftp connections only.
Connection to localhost closed.

Should you see the above, then all is fine.

I hope this helps. See you in the next one.