How to import post without FTP

You are not giving the info out to a 3rd party. The site/plugin needs FTP access.

Thanks ESMI for kind feedback. It would be good if I could locate some documentation about this fact so that also the web hotel administrator could get satisfied.

There’s no documentation as such but you will find that this issue has been raised and answered many times on the forums.

The web application needs the information. The web application is running on your server. Therefore the only party involved is your server. Surely your webmaster should be able to understand that.

Think about what is happening. When you upload via ftp you connect to the ftp server to upload files and you give the ftp server your credentials in order to do so. For WordPress to upload, it needs to do essentially the same thing so it must have the credentials necessary to connect to the ftp server. Either way, the only parties involved are you and your server.

Hi,

I’m the webmaster pdonner is talking about.

apljdi: Surely your webmaster should be able to understand that.

Yes, be sure he is able to understand that.

But, he is also able to understand another way to fix the “download”.

And, if he only has rumors to go on he thinks in worse-case-manner. That means no FTP and no passwords to anybody that refers to such a security.

The best thing pdonner now can do is to ensure that his wp-updates are secure. A reference to any discussions on Internet won’t do. Neither a million-using-this-app-argument. (Anybody heard of Sony?)

Perhaps a code-snippet or something. Until then it’s a big no-no.

How about adding the FTP/SFTP credentials to the wp-config.php file? Would that be a reasonable compromise?

No offense intended, Bredde. Please understand that I have no idea who you are. I don’t know what pdonner explained to you, if anything, or how he explained it. I don’t know anything about your organization or about anyone in your organization. I’m just trying to offer explanations as best I can. It isn’t personal. I don’t expect you to accept uncritically “discussions on Internet” but I hope you will listen to the argument and accept the argument in the spirit of helpfulness in which it is intended. I’m not here to pick a fight with you. I just find this stuff interesting.

In the interest of the security of your site and your server, lets talk about a couple of things. First, FTP itself is considered insecure. Everytime pdonner or anyone else connects to your server over FTP your credentials go out over the wire unencrypted. Anyone in a position to sniff the traffic can read them off in plain text. traceroute from your office to your server and see how many points of failure there are. Even in the best case, where you have an on-site server, there must be at least a couple of problem spots where disgruntled employees (best case) could sniff the traffic. In the worst case, your credentials are traveling the world wide web. In either case, using WordPress’s built in FTP is actually more secure since the credentials never leave the server. The FTP transaction is localhost to localhost. The only way to sniff the credentials would be to have high level access to the server itself.

Using sftp, would make either of the above scenarios much more secure, but your highest security is still with a localhost to localhost exchange, rather than a network one.

The biggest danger, I think, is not with WordPress having your FTP credentials. The biggest danger is with installing insecure plugins or themes, or custom code, and that can be done whether you decide to use the automatic update mechanisms or whether you require pdonner to manually upload over ftp or sftp. You can’t address that by restricting the ftp credentials. You’d have to have a policy of exhaustive code analysis for whatever pdonner installs, however you choose to install.

Another security related reason I can think of to be concerned about the WordPress FTP system is the possibility that WordPress is itself malicious and is transmitting your credentials to some secret repository somewhere. I am not aware of any such mechanism within WordPress and I have been through most of its files fairly thoroughly, but don’t take my word for it. Run WordPress. Run WireShark. Log everything and see if you spot anything untoward, and let us all know if you do. Sincerely. Of course, if it is the case that WordPress is some brilliant hacker ruse, it wouldn’t be just the FTP component that is dangerous. It would be the whole thing.

Finally, if WordPress were compromised by a hacker, the hacker would be able to get some, or all, of your credentials depending on how to set things up. I just took a look and the password is not stored in the database when you manually enter it in the update/upgrade FTP form. The password would be accessible if kept in wp-config.php assuming the hacker got access that allowed reading that file.

Perhaps a code-snippet or something. Until then it’s a big no-no.

WordPress is open source. Look at all the code you want. No need for snippets. It sounds like you’ve already got a copy running on your server. Most of what you are interested in would probably be in /wp-admin/includes. WordPress files are mostly named meaningfully. You should be able to spot the ones related to FTP.

And again, please take this in the spirit of helpfulness in which it is intended.

Thanks for your intended helpfulness … very nice of you, indeed.

But, pdonner won’t get any happier paying me to read through almost 5 Mb in 400 files. Only to make me sure that his ftp-update is done the way a nice and helpful writer claims on a thread somewhere out there.

Thanks for your intended helpfulness … very nice of you, indeed.

But, pdonner won’t get any happier paying me to read through almost 5 Mb in 400 files. Only to make me sure that his ftp-update is done the way a nice and helpful writer claims on a thread somewhere out there.

I think pdonner needs to find a new webmaster, who knows what the heck he’s doing, or a hosting service provider who allows basic necessities, like FTP access to pdonner’s own hosting account.

Thanks Chip for your feedback. You wrote:

I think pdonner needs to find … a hosting service provider
who allows basic necessities, like FTP access to pdonner’s own hosting account.

I’m intending to promote WP in my municipality by asking for WP training at the adult education center. To ensure that the students would be able to carry out simple WP administration tasks, I actually also did exactly what you proposed.

The hosting service provider was very kind and helpful until I brought up this issue with them. Although the company representative understood that the proposed WP training scheme would bring them new customers, they went quiet as soon as I asked about supplying user and password information in the WP dialogs.

I think we ought to address this issue. Apljdi remarks on sniffing credentials sound relevant to me. At one point he writes:

The FTP transaction is localhost to localhost.

If this is the case I guess that we could write localhost in the field for the server name. Although this doesn’t solve the dilemma of the web master, I guess this could be a way of ensuring that the traffic remains in the server. But would it work Chip?

Already accepted Chips solution to the security issue.

But, ok. Let’s give your helpful wp-friends one more chance.

WordPress is not ‘network’ software like Google Docs or Blogger. It runs entirely on one server, your server. Giving WordPress ftp credentials is no more giving credentials to a third part than would be giving ftp credentials to, say, FileZilla. Presumably, FileZilla, or other FTP clients, are OK to use– without exhaustive code analysis– but WordPress isn’t? That is pretty puzzling. In fact, giving WordPress ftp credentials is less giving it to a third party than would be giving them to FileZilla. Doubly puzzling.

WordPress itself can run on the server without having passed exhaustive code analysis and testing, but WordPress can’t use FTP? Again, puzzling. Why trust this piece of software to run on your server and access your database without reading through the code, but balk at one component and insist that it isn’t safe until you read all of the code? If you distrust the software, why trust 99% of it? You do realize that WordPress– PHP in general– has file upload capabilities that have nothing to do with FTP, right?

I don’t see any option offered by Chip, unless its this, “find a new webmaster, who knows what the heck he’s doing”.

Great localhost wannabees you found, pdonner!
Hey fellows – any comments on theese “undocumented” features?

esmi, Chip, apljdi?

What do you do when I give you my FTP credentials?
When you provide us with your FTP credentials we log into your site using FTP and change the permissions on files and directories such that it can be written by a file running on your server.

Is changing the permission on my site essential?
If you are asking in regards to WPAU absolutely. In order to complete the automatic upgrade we need write permissions to your site.

When will be asked for my FTP credentials and why?
You will only be asked for your FTP credentials when we cannot write to your server.

That’s what pdonner also tries to do: When he cannot write to my server he asks for a password. Guess if he got one? Nope!

Chip, I have a customer for you. No need for code-snippets any more.

:O)

https://www.ads-software.com/extend/plugins/wordpress-automatic-upgrade/faq/

I made a fresh install of the newest WP on yet another site. While performing the procedure to import the archive Mr. WP never grunted his ‘FTP’ with the nasty credential request. The program was probably capable to perform the transfer… internally.

Maybe our discussion was heard by a friendly soul?

Thanks to everybody involved. ph