Introduction

When working with WordPress in a more secure environment where websites are not entirely world-writable, you will notice upgrades request FTP or FTPS credentials as the server itself does not typically have write access in properly-configured environments. Entering these credentials for every upgrade can become quite tedious, and WordPress has implemented some constants you can define within wp-config.php to make upgrades automatic.

It should be noted here that you can also make upgrades automatic by setting the file ownership of all files within the WordPress directory to the same user/group under which the webserver is running. THIS IS HORRIBLE SECURITY PRACTICE!

While storing your FTP credentials for a specific user can also be considered insecure in certain instances, it can be a very safe method to automate WordPress updates under the proper conditions. Some general considerations which can make stored credentials MUCH more secure include:

FTP:

1. Creating a separate user and restricting its access to only allow connections from localhost
2. Ensuring your FTP daemon is “chrooting” the user to their own directory only
3. Configuring your FTP daemon to listen only on localhost, thus preventing external connections
4. Using something more secure than FTP, such as SSH — Yes, we realize this one does not actually improve FTP security

SSH:

1. Creating a separate user (usually an alias with the same UID, different GID) and restricting access to only localhost for this specific user in sshd_config with the AllowHosts option
2. Creating some advanced SSH configuration such as chrooted SFTP-only users
3. Using public key authentication, which can be further secured by specifying a “from” address in the user’s authorized_keys file

There are several other ways one can make their FTP/FTPS or SSH setup more secure, but they are far beyond the scope of this post and can vary greatly in their application due to the hosting environment and several other factors. We are going to assume you’re already working with a secure setup for the purposes of this guide.

WordPress Upgrade Constants

From the WordPress Codex, the following constants are available to define FTP and SSH credentials in wp-config.php:

FS_METHOD This setting forces the filesystem (or connection) method, and you probably won’t need to adjust or define it. It can be one of: “direct”, “ssh2″, “ftpext”, or “ftpsockets”. WordPress will automatically determine the proper method using the following preferential order:
—(Primary Preference) “direct” causes the use of direct file I/O requests from within PHP, but this requires the webserver to have write access to your WordPress installation, which is NOT recommended. This setting will be chosen automatically when the permissions allow.
—(Secondary Preference) “ssh2″ allows forcing usage of the SSH2 PHP extension if installed (via PECL).
—(3rd Preference) “ftpext” allows forcing the usage of the FTP PHP extension (this is usually the default when you connect via FTP/FTPS).
—(4th Preference) “ftpsockets” utilizes the PHP sockets class for FTP access (far less common, but can resolve FTP connection issues in rare cases).

FTP_BASE is the full path to the “base” (absolute path) folder of your WordPress installation.

FTP_CONTENT_DIR is the full path to the wp-content folder of your WordPress installation.

FTP_PLUGIN_DIR is the full path to the plugins folder of your WordPress installation.

FTP_PUBKEY is the full path to your SSH public key.

FTP_PRIKEY is the full path to your SSH private key.

FTP_USER is either your FTP or SSH username, depending on which method you use.

FTP_PASS is the password for the username entered for FTP_USER. If you are using SSH public key authentication, this can be left blank.

FTP_HOST is the hostname[:port] combination for your SSH/FTP server. The default FTP port is 21 and the default SSH port is 22. You only need to specify the port if using a non-standard one.

FTP_SSL is only for FTPS connections, and should not be defined unless you have already configured your FTP daemon to support TLS. Note – SFTP is NOT the same thing, so make sure you do not confuse the two.

Here’s an example of the most common configuration options with sample values so you can see the proper method of defining them within wp-config.php:

define('FS_METHOD', 'ftpext');
define('FTP_BASE', '/path/to/wordpress/');
define('FTP_CONTENT_DIR', '/path/to/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/path/to/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/username/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/username/.ssh/id_rsa');
define('FTP_USER', 'username');
define('FTP_PASS', 'password');
define('FTP_HOST', 'ftp.example.org');
define('FTP_SSL', false);

To configure FTP/FTPS, you simply define the necessary constants from the list above in wp-config.php. A minimal configuration requires at least FTP_BASE, FTP_USER, FTP_PASS and FTP_HOST (usually 127.0.0.1). Enter these required constants, also adding FTP_SSL (true) if using FTPS, then your next upgrades should be automatic, and you should no longer be prompted to enter these details.

Enabling SSH support in WordPress Using the PECL SSH2 extension

Most users are not aware of this, but WordPress already supports SSH connections in addition to FTP/FTPS by simply enabling the SSH2 extension in PHP. Let’s begin by installing the SSH2 extension via PECL.

On RHEL/CentOS, you will need the php-devel, php-pear and libssh2/libssh2-devel packages and a working compiler/development libraries if you installed PHP via Yum (RPM-based installation):

# yum install php-devel php-pear gcc gcc-c++ make automake autoconf pcre-devel re2c libssh2 libssh2-devel

With the necessary prerequisites installed, you can now use the CLI tool ‘pecl’ to automagically install the extension for you:

# pecl install ssh2-0.12

The reason we need to define the version here is to avoid an error message about the extension being in “beta,” since there was never a release of this particular extension that was labeled as “stable.” Once the installation completes successfully, you’ll be presented with a success message that instructs you to enable the extension in php.ini. When using CentOS, each extension’s INI file is stored separately from the main php.ini for cleanliness and easy addition/removal of extensions. To update /etc/php.d/ssh2.ini, we will use the following command:

# echo "extension=ssh2.so" > /etc/php.d/ssh2.ini

Now, running ‘php -m’ should show the SSH2 extension in the list of extensions. If you see it there, you must now restart your PHP processor (we’ll assume it’s Apache):

# /etc/init.d/httpd restart

You now have the SSH2 extension installed and enabled. If you have not already entered any constants in wp-config.php, you can attempt an upgrade or plugin installation/deletion and you will now see a new radio button that says SSH, in addition to the FTP and FTPS choices you’ve always had. To complete this configuration, you can now just enter the same minimal options used above, possibly including the FS_METHOD constant (ssh2) to ensure only SSH connections are attempted. However, we assume you would rather use the most secure method you can, so let’s configure SSH with public key authentication.

We’ll start by generating a public/private keypair, which we will later define in wp-config.php:

# ssh-keygen -t rsa -b 4096

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/user1/wp_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/wp_rsa.
Your public key has been saved in /home/user1/wp_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@server1.example.com

The location of the keys should be somewhere outside of your webroot, so the user’s home directory is usually a safe choice. You should NOT enter a password here, as there have been many issues getting passworded SSH keys to work properly with WordPress. After creating the keypair, we need to make it readable by the webserver (we’ll assume your webserver runs under the “apache” user for simplicity):

# chown user1:apache /home/user1/wp_rsa
# chown user1:apache /home/user1/wp_rsa.pub
# chmod 0640 /home/user1/wp_rsa
# chmod 0640 /home/user1/wp_rsa.pub

Next, you just need to edit wp_rsa.pub to specify the ‘from=’ option and add the contents to the authorized_keys file in /home/user1/.ssh/authorized_keys:

# vim /home/user1/wp_rsa.pub

You can use whichever editor you please (vi, nano, emacs, etc), so there’s no need to cry. Once you’ve opened the file, add the following ‘from=’ restriction at the beginning of the line (there should only be one very long line) right before ssh-rsa and the key data:

from="127.0.0.1" ssh-rsa ...

Now, we can actually place the public key’s contents in the user’s authorized_keys file:

# mkdir /home/user1/.ssh
# chown user1:user1 /home/user1/.ssh/
# chmod 0700 /home/user1/.ssh/
# cat /home/user1/wp_rsa.pub >> /home/user1/.ssh/authorized_keys
# chown user1:user1 /home/user1/.ssh/authorized_keys
# chmod 0644 /home/user1/.ssh/authorized_keys

As long as PubkeyAuthentication is enabled in sshd_config (default), you should now be ready to configure wp-config.php for automatic SSH upgrades:

define('FTP_PUBKEY','/home/user1/wp_rsa.pub');
define('FTP_PRIKEY','/home/user1/wp_rsa');
define('FTP_USER','user1');
define('FTP_PASS','');
define('FTP_HOST','127.0.0.1:22');

From now on, installing/removing/upgrading WordPress and its plugins should no longer prompt you for credentials. Happy blogging!

The day after Hurricane Sandy six weeks ago, all ServerStack employees found themselves without power, heat, hot water, or access to gas.

In the days after Hurricane Sandy six weeks ago, all ServerStack servers and sites continued to maintain the perfect uptime record that they have held for nearly a decade.

On Monday, December 4^th, Netcraft ranked ServerStack 7^th in its list of November’s Most Reliable Hosting Sites. The list compared hosting sites from across the US, proving that even in the worst Northeast Storm of this century, ServerStack can still hold its own.

ServerStack was able to maintain its standard “White Glove” managed hosting experience because the company’s preparation and adaptability kept customers sites running while the roads of New York were being cleared of flood debris. ServerStack employees who could get out of their apartments, commuted daily to one of the few wired workspaces in the blacked out New York City, while those were locked into their homes kept ServerStack’s sites going strong because they had been equipped with 3G wireless cards in preparation. While New Jersey, where the datacenter is located was still working to pull itself out from under weight of sand and water, ServerStack leveraged its out-of-band access to avoid traveling across the rough NJ conditions.

As Serverstack employees did everything they could to stay connected and responsive to customers’ requests, the company’s 100% uptime was guaranteed by its partnership with an experienced and proactive data center. Equinix, located in North Bergen, NJ, has worked for years to secure the server hardware against potential issues. Quarterly tests of battery power and backup generator capabilities prepared Equinix for the conditions brought on by Sandy, while during the storm itself, datacenter employees made sure that diesel flowed to the back of the generators— a backup for the backup. The east coast, home to nearly annual snowstorms and blisteringly hot summers, does not have a history of severe flooding. Nonetheless, the datacenter was built high above ground level and far from bodies of water to ensure that, in the rare event of a storm like Sandy, the servers would not be affected by rising floodwaters.

And so, the years of drills and preparation paid off—ServerStack has proven that it can maintain perfect uptime not just in easy weather, but also under the most stressful conditions.

Companies distinguish themselves by the way they handle adversity. Investing in the strongest server infrastructure and preparing for the worst case scenario at all times, ServerStack was able to continue serving 200 Million page views a day while the east coast remained locked in, powered off, and very, very, cold.

Yes, there are a lot of options in the crowded managed hosting space. However, if you are considering a managed hosting provider, there are few important questions that you will need to answer:

1) Are they reliable and stable?

2) What is the level of support that I will be receiving?

3) Will my site be able to scale effectively while experiencing maximum performance?

Sometimes, these question can be difficult to answer and that is why we’ve gone ahead and answered them for you. =]

Answer #1: ServerStack’s SLA guarantees that your website will experience 100% uptime in any give month, excluding scheduled maintenance. Any experienced downtime would immediately be reimbursed back to the customer. No questions asked! We have seven of the best data centers across the US and Europe, with flagship locations in New Jersey and Amsterdam.

Answer #2: ServerStack takes pride in setting the standard in the managed hosting industry by providing the best support out there. ServerStack likes to refer to our level of support as “White Glove” service. The kind of high-end support that will bend over backwards to answer and resolve any issue while at the same time, insuring that your site is being properly monitored, managed, backed-up, and optimized 24/7. No other managed hosting provider can compete on the level of service that we provide. How do we do this? It is simple. Our 24/7 support team is comprised of system administrators and engineers that manage your dedicated servers around the clock. Unfortunately, if you go with a large managed hosting provider, 99% of the time you will have to speak to the first “layer” of support that will have to escalate any major issues to the layers above them for it to be resolved. Yes, this is the harsh reality.

We are so confident that you will be pleased with our level of support that we offer all customers a Support Guarantee! This guarantee states that if you are not fully satisfied with our support, at anytime, we will fully refund your money and give back your data. No cancellation/termination fee will be applied.

Answer #3: ServerStack is the industry leader in scaling web infrastructures. Ok, ok – we know, everyone says that they are the “Leader.” How can we be so sure, right?! Well, it is simple. We’ve scaled the largest website out of any hosting provider in the world…period. And here is how we did it! The site now receives approximately 150 million pageviews per day and is an Alexa Top 50 website. This website started out with a single dedicated server and grew to a multi-cluster configuration that is managed by the ServerStack team.

If you are at all hesitating to try us out…please don’t! We are willing to offer your first month of managed hosting for free. No set-up fee or contract required. You can cancel at anytime.

If you have any additional questions, feel free to contact our sales department or stop by our office in downtown Manhattan (SoHo) to say hello.

Why use Load Balancing to Speed Up, Protect and Grow your Hosted Website

At its most basic form Load Balancing allows you to distribute requests to multiple dedicated servers. This can be web requests for your popular blog, ad network, or social media site or a different protocol like memcache or MySQL. Server Load Balancing automatically provides 2 benefits – increased capacity, and high availability. For increased capacity requests are now sent to an unlimited amount of real servers, instead of being sent to a single machine. Secondly, if one of the application servers is unavailable, the Load Balancer is smart enough to direct traffic to the remaining online dedicated servers thereby allowing your website or application to survive individual server failures and deliver high availability.

The following are 7 common advantages to using Load Balancers in your hosted web service, we provide all of them with full configuration, monitoring and maintenance. This means you get enterprise level service at only $100/server allowing you to scale with ease.

1. Handle more requests than a single dedicated web server will allow.

2. Increase site uptime and availability by protecting against server failure.

3. Serve a static recovery error page if all dedicated servers are unavailable.

4. Distribute traffic based on system load for each load balanced server.

5. Load Balancing can be used as an effective Firewall method protecting the real IP address of your dedicated servers.

6. Protection against DDoS attacks and using server resources only for legitimate traffic requests.

7. Offload SSL Encryption to the Load Balancer instead of the web server.

Our Load Balancing service starts at just $100/month per server and with all of the great features listed above it is a vital part of healthy web infrastructure. The best part about our Load Balancing service is that we fully manage the configuration, monitoring and maintenance of the service ensuring that you always get the best possible performance and reliability from your dedicated servers. If you have any questions feel free to contact us, or review the Load Balancing product page for more details.

Managed Technical Support

Instead of dedicating themselves to server maintenance, customers of managed hosting receive full 24×7 technical support. This extends further than simply the consistent availability of live support to address server issues (via phone, email, and instant messaging clients); it includes other benefits, such as operating system and full application management. Managed servers are always kept up to date with the latest OS updates and security patches; all business applications running on the servers are supported, managed, and optimized to run quickly without downtime.

Proactive Monitoring

A managed hosting company monitors all aspects of server activity to make sure that valuable content stays online. Whether investigating a traffic spike from a marketing campaign or an unauthorized hot link to a client’s site, a managed hosting company is aware of unusual activity and can appropriate steps to ensure the website or application is always available. Server management includes URL content monitoring, which checks that the site is not only online but that the web pages load correctly, an essential function for keeping the content of websites with complex applications and critical pages consistently available to visitors. Outsourcing the task of managing a server provides the client with security that, at every point in time, technical support staff is ready to address any technical issues to ensure that the customer’s information is online and accessible.

Network Security

Maintaining a server’s security is essential. On managed servers, the hosting company takes over the laborious task of protecting it from trojans, hackers, and spammers. The stored information is protected with Firewall services and regular server vulnerability scans. Employing hardened Linux server configurations, the hosting company creates a secure environment protecting the customer’s data with VPN connectivity, secure SSH connections, and additional multi-factored authentication.

Server Optimization

Not all server issues arise from a malicious source like viruses or targeted attacks by hackers. There are many reasons why dedicated servers may not be running at peak capacity, and a key benefit of managed hosting is optimizing server performance. Using SNMP to collect performance metrics in real time regarding CPU utilization, load averages, RAM utilization, and hard drive usage, a managed hosting company provides the right service configuration for each customer’s traffic levels. Optimization also includes troubleshooting application performance and OS level issues to ensure reliable service availability.

Web Scalability

When a site or business begins to require stronger server infrastructure to keep up with its needs, managed hosting makes the transition from a single dedicated server to a multi-server cluster simple. The advantage of a technical support staff expanding the capacity of a dedicated server comes from its best practices approach to growing resources. They make sure that separate servers are optimized for specific tasks as database, web, or application processing servers. Once the content is migrated from one to many servers, the company can implement load balancing to maintain an efficient distribution of traffic across the servers. The technical staff performs all these motions, and the server’s user is never tasked with changing configurations or managing the technical aspect of their increased server capacity.

Managed Hosting Server Migrations

Managed hosting companies help the client by migrating their content, databases, and software configuration. When done correctly, it provides for zero-downtime migrations, where the customer can switch DNS after the technical staff has adapted the website’s setup and performed a resource review, ensuring the new server will run based on the company’s best practices.

Automatic Server Backup

As information continues to grow keeping data secure in the case of hardware failure, accidental deletion, developer error, or attack intrusion is of the utmost importance. A managed server hosting company performs automated daily backups and saves the data separately, making the files and databases available for immediate retrieval in the case of disaster. In addition to all server files, databases are backed up via their native mechanisms to ensure data integrity. Backups are performed daily, storing incremental data and allowing quick and easy file recovery.

Total Cost of Ownership (TCO)

Managed server hosting may seem more expensive than having an unmanaged server, however, the costs are not directly comparable. Unless the client has a background of the proper technical knowledge, skills, and training, and the time to allocate to optimizing their applications, monitoring their server traffic, creating systematic backups, continually upgrading their OS, and ensuring their server remains secure against malicious entities, they would still have to hire IT personnel to manage the server. Managed server hosting provides lower total cost of ownership and enables the customer to achieve more than they would on their own. The customer has the security of a powerful and highly available server without the price tag attached to having an in-house team supporting it.

Contact us to discuss a fully managed hosting solution that will fit your specific needs.