Saw an interesting blog post on Twitter today about storing WordPress FTP information in wp-config.php. The article was written in German so I sent the author an email to ask if he’d mind me translating it. Phil, the author, very kindly said yes – so my translation is below.
Since the addition of the automatic updates in the WordPress core became available, there has been the possibility of FTP data in the backend. Then you can get both plugins and the core by clicking on the date. However WordPress then stores the login information in the blog database. This can be a potential security issue. If someone were to gain access to your database then they would also have access to your entire server. One way of reducing the risk is to use the approach outlined below.
The wp-config.php file can be used to define constant values so that the usage of a database can be removed. This makes the database smaller, and so improves site performance. For the FTP access the constants are as follows and should be added to the bottom of your wp-config.php file:
define('FTP_HOST', 'ftp.example.org'); define('FTP_USER', 'username'); define('FTP_PASS', 'password');
For a secure connection add the following line (default: false):
If the WordPress installation is not in the root directory of the FTP server you can define the location as follows:
Have you moved the plugin directory or all of the content folder? You can also specify the full path using these two constants:
define('FTP_CONTENT_DIR', '...'); define('FTP_PLUGIN_DIR', '...');
Finally, you can also adjust the method to be used by WordPress for the file system. This often hides errors if something goes wrong with the file permissions. You should only change this value if errors occur, most of the time the default will work just fine.
The following methods are possible:
- direct (default) – PHP file system functions
- ssh – SSH PHP Extension
- ftpext – FTP PHP Extension
- ftpsockets – PHP socket extension
The constants FTP_PUBKEY, FTP_PRIKEY display the paths to the SSH public key and private key SSH specify.
Delete existing data
If you’re unsure whether access data already stored on WordPress, you can search the WordPress options in the database using the following page on your website:
There you should search for the entry: ftp_credentials
If this is present, you have already stored the FTP data in your database. You can delete it by simply removing the value in the ftp_credentials field on the options page, then scrolling to the bottom, and pressing save. You should be very careful doing this though as there is potential for your website to be broken when doing this.
Further Information can be in the WordPress Codex: