WordPress Plugin Updates Without FTP: SFTP SSH Key Configuration

WordPress requests FTP credentials when it lacks direct write access to your installation directory. To resolve this without requiring traditional FTP, you can configure WordPress to use SFTP via SSH keys through three primary methods: installing the SSH SFTP Updater Support plugin, enabling the built-in SSH2 filesystem method, or configuring direct file access. Each method allows WordPress to authenticate and update plugins using your SSH keys instead of requiring FTP login information.

Contents

• Why WordPress Requests FTP Data and How to Fix This
• Method 1: Using the SSH SFTP Updater Support Plugin (Recommended)
• Method 2: Built-in SSH2 Filesystem Method
• Method 3: Direct File Access Method
• Configuring SSH Keys for WordPress Authentication
• Troubleshooting Common SFTP/SSH Authentication Issues

Why WordPress Requests FTP Data and How to Fix This

WordPress requests FTP credentials when it doesn’t have direct write permissions to your installation directory. This security measure prevents unauthorized file modifications but creates inconvenience for administrators who need to update plugins, themes, or WordPress core. The FTP prompt typically appears during plugin installations, updates, or when WordPress needs to modify files in the wp-content directory.

When WordPress attempts to update plugins but lacks direct write access, it falls back to FTP/SFTP as a transfer method. However, if your server only supports SFTP via SSH keys (not standard password-based SFTP or traditional FTP), you need a specialized configuration to enable these updates without requiring FTP login information.

The core issue stems from WordPress’s filesystem abstraction layer, which supports multiple methods to access and modify files. By default, WordPress tries to use the most direct method (direct file writes), but when that fails, it prompts for FTP credentials. To resolve this with SFTP via SSH keys, you need to configure WordPress to recognize and authenticate through your SSH keys instead of requiring username/password combinations.

Understanding this mechanism is crucial because the solution depends on your server environment and security requirements. Some methods work better for shared hosting environments, while others are more suitable for dedicated servers or VPS configurations where you have greater control over server settings.

Method 1: Using the SSH SFTP Updater Support Plugin (Recommended)

The SSH SFTP Updater Support plugin is the most straightforward solution for enabling WordPress plugin updates via SFTP with SSH keys authentication. This plugin extends WordPress’s filesystem methods to support SSH/SFTP authentication through keys, eliminating the need for FTP credentials during updates.

Installation and Basic Configuration

1. Download the plugin manually: Since WordPress currently prompts for FTP credentials, you’ll need to download the plugin manually from the official WordPress repository. Download the ZIP file to your local computer.

2. Upload via temporary method: Use your hosting control panel’s file manager or temporary FTP access to upload the plugin to your /wp-content/plugins/ directory.

3. Activate the plugin: Navigate to your WordPress admin dashboard, go to Plugins > Installed Plugins, and activate the “SSH SFTP Updater Support” plugin.

Configuring SSH Keys for the Plugin

After activating the plugin, you need to configure it to use your SSH keys instead of requiring password authentication:

1. Generate SSH keys (if you haven’t already):

• If you don’t have SSH keys, generate them on your local computer:

ssh-keygen -t rsa -b 4096

• This creates a public key (typically ~/.ssh/id_rsa.pub) and a private key (~/.ssh/id_rsa).

2. Upload your public key to the server:

• Access your server via SSH
• Create a .ssh directory in your home directory if it doesn’t exist:

mkdir -p ~/.ssh
chmod 700 ~/.ssh

• Append your public key to the authorized_keys file:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

3. Configure WordPress to use SSH keys:

• Add the following configuration to your wp-config.php file:

define('FS_METHOD', 'ssh2');
define('FS_SSH2_PKEY_FILEPATH', '/home/username/.ssh/id_rsa');
define('FS_SSH2_PKEY_PHRASE', 'your_key_phrase_if_any');

• Replace /home/username/.ssh/id_rsa with the actual path to your private key on the server
• If your SSH key has a passphrase, include it in FS_SSH2_PKEY_PHRASE

Alternative Configuration via Constants

For more complex setups, you can configure the plugin using additional constants in wp-config.php:

// Enable SSH2 filesystem method
define('FS_METHOD', 'ssh2');

// Path to SSH private key
define('FS_SSH2_PKEY_FILEPATH', '/path/to/your/private/key');

// SSH key passphrase (if any)
define('FS_SSH2_PKEY_PHRASE', 'your_key_passphrase');

// SSH host
define('FS_SSH2_HOST', 'yourserver.com');

// SSH port (default is 22)
define('FS_SSH2_PORT', 22);

// SSH username
define('FS_SSH2_USERNAME', 'your_ssh_username');

// Connection timeout in seconds
define('FS_SSH2_TIMEOUT', 10);

Testing the Configuration

After configuring the plugin and SSH keys:

1. Try updating an existing plugin or installing a new one through the WordPress dashboard
2. If prompted for FTP credentials, your configuration needs adjustment
3. Check your PHP error log for any SSH or SFTP-related errors
4. Verify that your web server user has read/write permissions to the WordPress installation directory

Advantages of This Method

• No server modifications required: Works on most shared hosting environments
• Secure authentication: Uses SSH keys instead of passwords
• Minimal configuration: Only requires plugin installation and basic setup
• WordPress-native: Integrates seamlessly with WordPress’s update mechanism
• Comprehensive support: Works for plugins, themes, and core updates

This method is particularly recommended for users who don’t have root access to their server or prefer not to modify server-level configurations. The plugin handles the SSH/SFTP authentication transparently, allowing WordPress to function normally without FTP credential prompts.

Method 2: Built-in SSH2 Filesystem Method

WordPress includes a built-in SSH2 filesystem method that can be enabled directly through configuration without installing additional plugins. This approach leverages PHP’s SSH2 extension to provide SFTP access via SSH keys, offering a native WordPress solution to the FTP credential problem.

Prerequisites for This Method

Before implementing this method, ensure your server environment meets these requirements:

1. PHP SSH2 extension installed: Your PHP installation must have the SSH2 extension enabled. Check by creating a PHP info file:

<?php phpinfo(); ?>

Look for “SSH2” in the output. If not present, you’ll need to install it:

• For Ubuntu/Debian: sudo apt-get install php-ssh2
• For CentOS/RHEL: sudo yum install php-pecl-ssh2
• For cPanel environments: Use WHM > EasyApache > Select PHP version > Enable SSH2

2. SSH server configured: Your server must have SSH server running and accepting connections

3. SSH keys generated and configured: You need SSH keys set up for authentication (as described in Method 1)

4. Proper file permissions: The web server user needs appropriate permissions to access SSH keys and WordPress files

Configuring WordPress for SSH2 Filesystem

To enable the built-in SSH2 filesystem method:

1. Edit your wp-config.php file: Add the following constants before the “That’s all, stop editing!” line:

// Use SSH2 filesystem method
define('FS_METHOD', 'ssh2');

// Path to SSH private key on the server
define('FS_SSH2_PKEY_FILEPATH', '/home/username/.ssh/id_rsa');

// SSH key passphrase (if your key is protected)
define('FS_SSH2_PKEY_PHRASE', 'your_key_passphrase');

// SSH host (usually your server's domain or IP)
define('FS_SSH2_HOST', 'yourserver.com');

// SSH username
define('FS_SSH2_USERNAME', 'your_ssh_username');

// SSH port (default is 22)
define('FS_SSH2_PORT', 22);

// Connection timeout in seconds
define('FS_SSH2_TIMEOUT', 10);

Replace the placeholder values with your actual server details and SSH key path.

2. Save the wp-config.php file: Ensure it’s saved with the correct permissions (typically 644 or 600)

3. Test the configuration: Try updating a plugin or installing a new one through the WordPress dashboard

Advanced SSH2 Configuration Options

For more complex server environments, you can use additional configuration options:

// Use specific SSH2 authentication method
define('FS_SSH2_AUTHAGENT', true); // Use SSH agent for authentication
define('FS_SSH2_HOSTKEYS', 'ssh-rsa,ssh-dss'); // Accepted host key types

// Connection settings
define('FS_SSH2_CONNECTION_TIMEOUT', 15); // Connection timeout
define('FS_SSH2_SFTP_TIMEOUT', 10); // SFTP operation timeout

// Debugging (for troubleshooting)
define('FS_SSH2_DEBUG_LOG', '/tmp/wordpress-ssh2-debug.log');
define('FS_SSH2_DEBUG_LOG_LEVEL', true);

Alternative: Using wp-cli for Configuration

If you have WP-CLI installed, you can configure SSH2 support using command line tools:

# Add SSH2 configuration to wp-config.php
wp config set FS_METHOD ssh2 --raw
wp config set FS_SSH2_PKEY_FILEPATH '/home/username/.ssh/id_rsa' --raw
wp config set FS_SSH2_HOST 'yourserver.com' --raw
wp config set FS_SSH2_USERNAME 'your_ssh_username' --raw

Troubleshooting SSH2 Configuration

If you encounter issues with the SSH2 method:

1. Check PHP error logs: Look for SSH2-related errors
2. Verify SSH key permissions: Ensure your private key is readable by the web server user
3. Test SSH connection manually: Try connecting via SSH to verify credentials
4. Check server compatibility: Some hosting providers disable certain SSH2 functions
5. Verify file paths: Ensure all paths in your configuration are correct

Advantages of the Built-in Method

• No additional plugins required: Uses WordPress’s native functionality
• Better performance: Direct integration with WordPress core
• More control: Fine-tuned configuration options
• Better security: No third-party plugin handling authentication
• Future compatibility: Less likely to break with WordPress updates

This method works well for users who have administrative access to their server environment and can install PHP extensions. It provides a robust, native WordPress solution for SFTP-based plugin updates without requiring FTP credentials.

Method 3: Direct File Access Method

The direct file access method represents the simplest approach when your WordPress installation has proper write permissions to its own directory structure. Instead of configuring complex SFTP or SSH connections, this method focuses on ensuring WordPress can directly modify files without requiring any external authentication mechanisms.

Understanding Direct File Access

WordPress attempts direct file access first before falling back to FTP/SFTP methods. For this method to work, your web server process (typically Apache’s www-data or Nginx’s nginx user) must have write permissions to the WordPress installation directory, particularly the wp-content directory and its subdirectories.

Setting Proper File Permissions

To enable direct file access:

1. Determine your web server user:

• On Ubuntu/Debian: typically www-data
• On CentOS/RHEL: typically apache
• On cPanel: typically the cPanel username

2. Set appropriate ownership and permissions:

# Set ownership to web server user
sudo chown -R www-data:www-data /path/to/wordpress/

# Set directory permissions
sudo find /path/to/wordpress/ -type d -exec chmod 755 {} \;

# Set file permissions
sudo find /path/to/wordpress/ -type f -exec chmod 644 {} \;

# Special permissions for wp-content
sudo chmod -R 775 /path/to/wordpress/wp-content/

3. For WordPress-specific directories:

# Plugins directory
sudo chmod -R 775 /path/to/wordpress/wp-content/plugins/

# Themes directory
sudo chmod -R 775 /path/to/wordpress/wp-content/themes/

# Uploads directory
sudo chmod -R 775 /path/to/wordpress/wp-content/uploads/

Alternative: Using ACL for More Granular Control

For more complex permission structures, you can use Access Control Lists (ACL):

# Set default ACL for new files
sudo setfacl -R -m d:u:www-data:rwx,d:g:www-data:rwx /path/to/wordpress/wp-content/
sudo setfacl -R -m u:www-data:rwx,g:www-data:rwx /path/to/wordpress/wp-content/

Configuring WordPress for Direct Access

Once proper permissions are set, ensure WordPress uses direct file access by adding this to your wp-config.php:

// Force direct file access method
define('FS_METHOD', 'direct');

Security Considerations

While direct file access is convenient, it has security implications:

1. Reduced security: WordPress can modify any file without additional authentication
2. Vulnerability risk: Compromised WordPress installation could modify any server file
3. Shared hosting concerns: Less secure on shared hosting environments where multiple sites share the same user

To mitigate these risks:

1. Regular security audits: Monitor file changes and suspicious activity
2. Limit write scope: Only grant necessary write permissions to specific directories
3. Use security plugins: Implement file integrity monitoring
4. Regular backups: Maintain regular backups of your WordPress installation

When to Use This Method

The direct file access method is most suitable in these scenarios:

• Dedicated or VPS servers: Where you have full control over server security
• Development environments: Where security concerns are less critical
• Simple WordPress installations: With minimal customizations
• High-traffic sites: Where performance is a priority and security is well-managed

This method should be avoided on:

• Shared hosting environments: Where security is a concern
• Multi-site installations: With complex permission structures
• High-security requirements: Where additional authentication layers are needed

Advantages of Direct File Access

• Simplest solution: No complex configuration needed
• Best performance: No external connections or authentication overhead
• WordPress-native: Uses WordPress’s preferred method
• No additional dependencies: Doesn’t require PHP extensions or plugins

For users with proper server administration capabilities and security measures in place, the direct file access method provides the simplest and most efficient solution to eliminate WordPress FTP credential prompts.

Configuring SSH Keys for WordPress Authentication

Proper SSH key configuration is essential for both the SSH SFTP Updater Support plugin and the built-in SSH2 filesystem method to work correctly. This section provides comprehensive guidance on generating, configuring, and managing SSH keys specifically for WordPress plugin updates via SFTP.

Generating SSH Keys

If you don’t already have SSH keys, generate them following these steps:

1. Open your terminal or command prompt

2. Generate the SSH key pair:

ssh-keygen -t rsa -b 4096 -C "wordpress-updates@yourdomain.com"

• -t rsa: Specifies RSA key type
• -b 4096: Specifies 4096-bit key strength (recommended)
• -C: Adds a comment to identify the key

3. When prompted:

• Enter a file location (accept default by pressing Enter)
• Enter a passphrase (recommended for security, but optional)
• Confirm the passphrase

4. Verify key generation:

ls -la ~/.ssh/

You should see:

• id_rsa (private key - keep secure!)
• id_rsa.pub (public key - can be shared)

Uploading Public Key to Server

Once you’ve generated your keys, upload the public key to your server:

1. Connect to your server via SSH:

ssh username@yourserver.com

2. Create .ssh directory (if needed):

mkdir -p ~/.ssh
chmod 700 ~/.ssh

3. Append public key to authorized_keys:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

4. Test SSH key authentication:

ssh -T username@yourserver.com

You should be prompted for your passphrase (if set) and then see a welcome message.

Configuring WordPress to Use SSH Keys

With your SSH keys properly set up, configure WordPress to use them:

1. Copy private key to server:

• Copy your local private key (~/.ssh/id_rsa) to your server:

scp ~/.ssh/id_rsa username@yourserver.com:/home/username/.ssh/

• Ensure proper permissions:

chmod 600 ~/.ssh/id_rsa

2. Configure WordPress constants:
   Add these to your wp-config.php:

// Use SSH2 filesystem method
define('FS_METHOD', 'ssh2');

// Path to SSH private key
define('FS_SSH2_PKEY_FILEPATH', '/home/username/.ssh/id_rsa');

// SSH key passphrase (if any)
define('FS_SSH2_PKEY_PHRASE', 'your_key_passphrase');

// SSH host
define('FS_SSH2_HOST', 'yourserver.com');

// SSH username
define('FS_SSH2_USERNAME', 'your_ssh_username');

Alternative: Using SSH Agent Forwarding

For enhanced security, you can use SSH agent forwarding instead of storing private keys on the server:

1. Enable SSH agent forwarding in your client configuration:

Host yourserver.com
ForwardAgent yes

2. Configure WordPress to use agent forwarding:

// Use SSH agent for authentication
define('FS_SSH2_AUTHAGENT', true);

// Disable private key file path when using agent
define('FS_SSH2_PKEY_FILEPATH', '');

Managing Multiple SSH Keys

If you need to use different SSH keys for different WordPress installations:

1. Create separate key files:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/wordpress_key1 -C "wordpress1@domain.com"
ssh-keygen -t rsa -b 4096 -f ~/.ssh/wordpress_key2 -C "wordpress2@domain.com"

2. Configure SSH config for each key:

Host server1
HostName server1.com
User username1
IdentityFile ~/.ssh/wordpress_key1

Host server2
HostName server2.com
User username2
IdentityFile ~/.ssh/wordpress_key2

3. Update WordPress configuration for each site:

// For server1
define('FS_SSH2_PKEY_FILEPATH', '/home/username1/.ssh/wordpress_key1');
define('FS_SSH2_USERNAME', 'username1');

// For server2
define('FS_SSH2_PKEY_FILEPATH', '/home/username2/.ssh/wordpress_key2');
define('FS_SSH2_USERNAME', 'username2');

Security Best Practices for SSH Keys

Follow these security practices when using SSH keys with WordPress:

1. Use strong passphrases: Protect your private keys with strong passphrases
2. Restrict key usage: Limit SSH keys to only necessary commands:

echo "command=\"/usr/bin/rsync\",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding" >> ~/.ssh/authorized_keys

3. Regular key rotation: Rotate SSH keys periodically
4. Monitor authorized_keys: Regularly check for unauthorized additions
5. Disable password authentication: Once keys are working, disable SSH password login:

sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

6. Use key management tools: Consider using tools like ssh-agent for passphrase management

Troubleshooting SSH Key Issues

If SSH keys aren’t working properly:

1. Check key permissions:

ls -la ~/.ssh/

Private keys should be 600, public keys 644, and .ssh directory 700

2. Test SSH connection manually:

ssh -v username@yourserver.com

Look for authentication methods and any error messages

3. Verify authorized_keys format:

cat ~/.ssh/authorized_keys

Ensure keys are properly formatted without extra characters

4. Check server logs:

sudo tail -f /var/log/auth.log

Look for SSH authentication attempts and results

5. Test with different key types:
   Some servers may prefer different key types (ed25519, ecdsa, rsa)

Proper SSH key configuration ensures secure, passwordless authentication for WordPress plugin updates via SFTP, eliminating the need for FTP credentials while maintaining strong security practices.

Troubleshooting Common SFTP/SSH Authentication Issues

Even with proper configuration, you may encounter issues when setting up WordPress to use SFTP via SSH keys for plugin updates. This section addresses common problems and their solutions to help you resolve authentication and connection issues efficiently.

Common Authentication Errors and Solutions

1. “Authentication failed” Error

Problem: WordPress fails to authenticate via SSH/SFTP, displaying authentication errors.

Solutions:

• Verify SSH key permissions:

chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

• Test SSH connection manually:

ssh -v username@yourserver.com

Look for authentication methods in the verbose output.

• Check if key is in authorized_keys:

cat ~/.ssh/authorized_keys

Ensure your public key is properly listed.

• Verify key format:
  Ensure your public key in authorized_keys follows this format:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... your_comment

2. “Permission denied” Error

Problem: WordPress reports permission denied when trying to access or modify files.

Solutions:

• Verify web server user permissions:
  Determine your web server user (usually www-data, apache, or nginx) and ensure it has appropriate permissions:

sudo chown -R www-data:www-data /path/to/wordpress/
sudo chmod -R 755 /path/to/wordpress/
sudo chmod -R 775 /path/to/wordpress/wp-content/

• Check SSH key access:
  Ensure the web server user can access the SSH private key:

sudo chown www-data:www-data /home/username/.ssh/id_rsa
sudo chmod 600 /home/username/.ssh/id_rsa

• Test SSH connection as web server user:

sudo -u www-data ssh username@yourserver.com

3. “Connection timed out” Error

Problem: SSH connection attempts time out during WordPress operations.

Solutions:

• Increase timeout values in your wp-config.php:

define('FS_SSH2_TIMEOUT', 30);
define('FS_SSH2_CONNECTION_TIMEOUT', 30);

• Check firewall settings:
  Ensure port 22 (or your custom SSH port) is open:

sudo ufw status
sudo iptables -L

• Test network connectivity:

ping yourserver.com
telnet yourserver.com 22

• Verify SSH server is running:

sudo systemctl status sshd

4. “Host key verification failed” Error

Problem: WordPress fails to connect due to SSH host key verification issues.

Solutions:

• Add host key to known_hosts:

ssh-keyscan -H yourserver.com >> ~/.ssh/known_hosts

• Disable host key verification (not recommended for production):

define('FS_SSH2_HOSTKEYS', '');

• Verify host key fingerprint:
  Compare the server’s host key fingerprint with what’s in your known_hosts file.

Debugging SSH/SFTP Connections

Enable debugging to troubleshoot connection issues:

1. Add debug logging to wp-config.php:

define('FS_SSH2_DEBUG_LOG', '/tmp/wordpress-ssh2-debug.log');
define('FS_SSH2_DEBUG_LOG_LEVEL', true);

2. Check the debug log:

tail -f /tmp/wordpress-ssh2-debug.log

3. Test SSH connection with verbose output:

ssh -v username@yourserver.com

4. Test SFTP connection manually:

sftp -oIdentityFile=/path/to/private/username@yourserver.com

Server-Side Configuration Issues

1. PHP SSH2 Extension Not Available

Problem: The PHP SSH2 extension is not installed or enabled.

Solutions:

• Check if SSH2 is installed:
  Create a PHP info file with <?php phpinfo(); ?> and look for SSH2.

• Install SSH2 extension:

• Ubuntu/Debian:

sudo apt-get update
sudo apt-get install php-ssh2
sudo service apache2 restart

• CentOS/RHEL:

sudo yum install php-pecl-ssh2
sudo service httpd restart

• cPanel/WHM:
  Use WHM > EasyApache > Select PHP version > Enable SSH2

• Verify installation:

php -m | grep ssh2

2. Server Security Restrictions

Problem: Security restrictions prevent SSH/SFTP connections from WordPress.

Solutions:

• Check SELinux settings (if enabled):

sestatus
sudo setsebool -P httpd_can_network_connect 1

• Check AppArmor profiles:

sudo aa-status

• Verify chroot restrictions:
  Some hosting providers chroot SSH users, which may prevent access to WordPress files.

WordPress-Specific Issues

1. Plugin Update Still Prompts for FTP

Problem: Even after proper configuration, WordPress still prompts for FTP credentials.

Solutions:

• Verify FS_METHOD constant:
  Ensure define('FS_METHOD', 'ssh2'); is in wp-config.php before “That’s all, stop editing!”

• Clear WordPress cache:
  Plugin and object caching may interfere with filesystem methods.

• Check for conflicting plugins:
  Temporarily disable other plugins that might modify filesystem behavior.

• Test with direct method first:
  Temporarily set define('FS_METHOD', 'direct'); to verify permissions are correct.

2. Partial Updates or Failures

Problem: Plugin updates start but fail partway through.

Solutions:

• Increase PHP memory limit:

define('WP_MEMORY_LIMIT', '256M');

• Check disk space:
  Ensure sufficient disk space for temporary files and updates.

• Verify temp directory permissions:
  Ensure WordPress can write to the system temp directory:

sudo chown www-data:www-data /tmp
sudo chmod 1777 /tmp

• Check for file locks:
  Remove any leftover .lock files in plugin directories.

Advanced Troubleshooting Techniques

1. Using SSH Tunneling

If direct SSH access is restricted, consider SSH tunneling:

1. Set up SSH tunnel:

ssh -L 2222:localhost:22 username@yourserver.com

2. Configure WordPress to use tunnel:

define('FS_SSH2_HOST', 'localhost');
define('FS_SSH2_PORT', 2222);

2. Alternative Connection Methods

If standard SSH2 doesn’t work, consider these alternatives:

1. FTP with SSL (FTPS):

define('FS_METHOD', 'ftpsockets');
define('FTP_SSL', true);

2. WebDAV:

define('FS_METHOD', 'direct');

3. Custom filesystem method:
   Create a custom filesystem class extending WP_Filesystem_Base.

Getting Additional Help

If you continue to experience issues:

1. Check WordPress support forums:
   WordPress.org Support Forums

2. Consult your hosting provider:
   Many hosting providers have specific documentation for SFTP/SSH configuration.

3. Review server error logs:

sudo tail -f /var/log/apache2/error.log
sudo tail -f /var/log/nginx/error.log

4. Consider professional support:
   For complex configurations, consider WordPress support services.

By systematically troubleshooting these common issues, you should be able to configure WordPress to use SFTP via SSH keys for plugin updates without requiring FTP credentials.

Sources

1. SSH SFTP Updater Support Plugin — Official WordPress plugin for enabling SSH/SFTP authentication for updates: https://wordpress.org/plugins/ssh-sftp-updater-support/

2. WordPress Filesystem API Documentation — Official documentation on WordPress filesystem methods and configuration: https://developer.wordpress.org/advanced-administration/wordpress/wp-config/

3. WordPress Hardening Guide — Best practices for file permissions and security settings: https://wordpress.org/documentation/article/hardening-wordpress/#file-permissions

4. Stack Overflow: SFTP Instead of FTP for WordPress Updates — Community discussion on implementing SFTP for WordPress: https://stackoverflow.com/questions/53203050/how-to-use-sftp-instead-of-ftp-when-updating-wordpress-plugins

5. WordPress Stack Exchange: Enable SFTP via SSH Keys — Technical guide for configuring SSH key authentication: https://wordpress.stackexchange.com/questions/250288/enable-sftp-via-ssh-keys-in-wordpress

6. CodeChewing WordPress SSH/SFTP Guide — Detailed configuration examples for SSH2 filesystem method: https://guides.codechewing.com/wordpress/enable-secure-plugin-updates-ssh-sftp

7. Clubmate.fi SSH/SFTP WordPress Updates — Comprehensive guide to SSH key configuration and best practices: https://clubmate.fi/enable-plugin-and-theme-updates-over-sftp-on-wordpress

8. VirtualMin SSH Filesystem Configuration — Server administration perspective on SSH filesystem setup: https://archive.virtualmin.com/node/57093

9. FileZilla SSH/SFTP Discussion — Community insights on SSH key authentication for file transfers: https://forum.filezilla-project.org/viewtopic.php=t=54562

Conclusion

Configuring WordPress to install and update plugins without requiring FTP credentials on servers that only support SFTP via SSH keys is achievable through several proven methods. The SSH SFTP Updater Support plugin provides the most straightforward solution for most users, extending WordPress’s filesystem capabilities to work with SSH key authentication. For those with server-level access, the built-in SSH2 filesystem method offers a robust, native WordPress solution without requiring additional plugins. In environments where proper file permissions can be set, the direct file access method provides the simplest approach.

Regardless of which method you choose, proper SSH key configuration is essential for secure, passwordless authentication. By following the comprehensive guidance provided in this article, you can eliminate WordPress FTP credential prompts while maintaining strong security practices through SSH key authentication. Each method has its advantages depending on your server environment, security requirements, and technical capabilities, but all provide effective solutions for updating WordPress plugins without requiring traditional FTP access.