Secure File Transfer Protocol (SFTP) and Secure Shell (SSH) are essential tools for managing your WordPress site remotely. They allow you to perform administrative tasks, transfer files, and update your site from any location without needing to be at the physical server that hosts your site.

However, with this convenience comes the downside of potential cyber threats. For example, using weak passwords or not regulating access to these tools can leave your site vulnerable to hackers and other malicious actors.

To combat these threats, implementing advanced SFTP and SSH security features is crucial. That’s why Kinsta has released additional security-related features to help enhance your WordPress security. These features include:

  1. Different database and SFTP/SSH access for your environments.
  2. IP address login restrictions.
  3. Enhanced SFTP/SSH password controls.
  4. SFTP connection shortcuts.
  5. Ability to disable SFTP/SSH.
  6. SSH key-only access.

Let’s explore each of these features, providing practical examples of how they can help you better manage and protect your site.

1. Different database and SFTP/SSH access for your environments

We are always looking for ways to help you avoid potential security breaches. One best practice is avoiding using identical login credentials across multiple services and website environments.

Now, each website environment hosted at Kinsta has a unique database and SFTP/SSH access credentials. This means every staging environment and the live environment will have separate access details.

Also, changing the password for one environment won’t affect another. This isolation ensures that any changes in access control are contained within the specific environment, enhancing overall security.

This feature helps prevent access to your site’s files and databases. For example, if you have developers working on your site, you might want them to have access only to your staging environment, where you can preview their work. Then, when the work is approved, you push it to the live environment, where they have no access to the site’s files and database.

2. IP address login restrictions

Another powerful security feature we recently introduced is the ability to restrict login access by IP address. This feature allows you to create an allowlist of IP addresses that are permitted to access your website via SFTP/SSH and phpMyAdmin database dashboards.

Imagine you run a WordPress site with a team of developers who need to access the site’s SFTP for updates and maintenance. For this extra level of site security, you set up an allowlist to ensure that only the developers or people with approved IP addresses can connect via SFTP.

If a developer changes their location or you need to grant temporary access to a new IP address, you can update the allowlist accordingly. This ensures that access remains restricted to trusted sources, protecting your site from unauthorized access attempts.

IP allowlists are managed on the Site Information page in MyKinsta, found under WordPress Sites > sitename > Info.

You’ll find an edit icon on the SFTP/SSH and Database access panel to the right of the IP allowlist label. Click that icon to begin adding or deleting IP addresses that are permitted to access your phpMyAdmin database or connect for shell or SFTP access:

Clicking the edit icon to manage an SFTP/SSH and database IP allowlist
Clicking the edit icon to manage an SFTP/SSH and database IP allowlist.

Clicking the allowlist edit icon on either panel will launch an Update IP allowlist dialog like the one below:

Adding an IP address to an allowlist in MyKinsta
Adding an IP address to an allowlist in MyKinsta.

You can create an allowlist by entering valid addresses (Example: 45.229.77.9/32) in the Add IP addresses field and clicking the Add button. You can also add multiple IP addresses at once by separating them with commas.

When an allowlist is active for SFTP/SSH or database, the number of IPs allowed will be shown:

This IP allowlist field indicates the number of allowed IPs
This IP allowlist field indicates the number of allowed IPs.

You can also always remove addresses on the IP allowlist by clicking the trashcan icon beside individual entries or using the checkboxes to select entries in the list and then clicking the red Remove IP address(es) button.

The advantage of this feature is that hackers and malicious actors who are not on the allowlist will be unable to even attempt to log in.

3. Enhanced SFTP/SSH password controls

Being able to differentiate access for all environments and restrict logins by IP address are useful security enhancements, but you might need even more. For instance, there are scenarios where you need to provide temporary access to a developer or third-party service. You may not remember to remove the person from the approved IP list once their task is completed. This is where enhanced SFTP password controls come into play.

By default, passwords created in MyKinsta for SFTP/SSH access do not expire automatically. With our recent security enhancements, you can now click the edit (pencil) icon beside the Password expiration label to choose an automatic expiry option:

Choosing an expiration period for SFTP/SSH passwords
Choosing an expiration period for SFTP/SSH passwords.

When you enable automatic expiry, Kinsta’s system will generate a new password at the end of your chosen period. You can access the new password by revealing it or copying it on the SFTP/SSH panel.

In addition, we now have more complex passwords. The default or generated passwords are now more complex, making passwords harder to guess or crack. Complex passwords typically include uppercase and lowercase letters, numbers, and special characters, making them significantly stronger against brute-force attacks.

4. SFTP connection shortcuts

Imagine you are managing multiple WordPress environments within Kinsta, such as staging and production. Each environment requires unique SFTP settings for access. Without connection shortcuts, you must manually enter and verify these settings in your SFTP client every time you connect.

With the new SFTP connection shortcuts, you can simply download the config files for each environment and import them into your SFTP client. This ensures that all settings are correct and significantly reduces the time and effort needed to establish secure connections.

On the Site Information page in MyKinsta, found under WordPress Sites > sitename > Info, click the download icon beside the FTP client config files label to download these documents as a ZIP archive. Inside the archive, you’ll find files like these:

Contents of a client configuration ZIP file
Contents of a client configuration ZIP file.

The file formats above can be used for different client software; the name already suggests the perfect client. For example:

5. Ability to disable SFTP/SSH

So, you’ve just completed a major update to your WordPress site. As usual, you might use SFTP and SSH to make these changes. Once the update is finished, you can disable SFTP and SSH access until the next time you need them. This way, even if someone attempts to connect using stolen credentials, they would be unable to gain access because the services are not running.

Many of our users have requested this feature in the past, and we are happy to have implemented it, minimizing the attack surface on websites.

On the Site Information page in MyKinsta, If SFTP/SSH is currently enabled, you’ll see a Disable button in the panel’s upper-right corner. Click the button, and you will be prompted to confirm the action:

A user is asked to confirm disabling SFTP/SSH access to a WordPress environment
A user is asked to confirm disabling SFTP/SSH access to a WordPress environment.

When SFTP/SSH is disabled for a website environment, configuration details are not relevant, so the entire SFTP/SSH panel is grayed out, and an Enable button replaces the Disable button:

With SFTP/SSH disabled, the Enable button allows you to reverse that status
With SFTP/SSH disabled, the Enable button allows you to reverse that status.

This is particularly useful if you only occasionally use these protocols for maintenance or updates.

6. Ability to only use SFTP/SSH with an SSH key

By default, passwords and SSH key pairs can authenticate SFTP/SSH access to WordPress environments at Kinsta. However, many of our clients have expressed concerns about the security of password-based access and prefer the robustness of SSH key authentication.

With our recent security enhancements, you can now disable password authentication and rely solely on SSH keys.

Why use SSH keys? SSH keys are pairs of cryptographic keys used to authenticate a user. SSH keys are virtually impossible to break, unlike passwords, which can be guessed or cracked. This makes them a much more secure method of authentication.

You can also add a layer of security by setting a passphrase for your SSH key. This means that even if someone gains access to your private key, they will still need the passphrase to use it, providing extra protection.

Click the edit (pencil) icon beside the Authentication methods label to disable or re-enable password authentication. You will see this prompt:

Choosing whether to allow SFTP/SSH authentication using a password
Choosing whether to allow SFTP/SSH authentication using a password.

Key-based authentication is always available as long as SFTP/SSH is enabled. You can select or deselect the Password option and then click the Save changes button.

What is the end goal of these security enhancements?

We’re serious about security at Kinsta. The end goal of these security enhancements is to provide a comprehensive and robust security framework for your WordPress site.

By implementing these advanced SSH and SFTP features, we aim to achieve several key objectives:

  1. Reducing vulnerabilities: Each of these enhancements addresses specific vulnerabilities associated with remote access, password management, and unauthorized login attempts. By strengthening these areas, we significantly reduce the potential attack vectors that malicious actors could exploit.
  2. Enhancing protection: These features work together to create multiple layers of security. From the use of complex and auto-expiring passwords to the implementation of IP address login restrictions and key-based SSH authentication, each layer adds a barrier against unauthorized access.
  3. Improving management: Security should not come at the expense of usability. Features like SFTP connection shortcuts and the ability to manage authentication methods through MyKinsta make it easier for site administrators to implement and maintain robust security practices without sacrificing convenience.
  4. Ensuring flexibility: By providing options such as disabling SFTP/SSH access and configuring separate credentials for staging and live environments, we offer flexibility that meets various operational needs while maintaining high-security standards.
  5. Building confidence: Knowing that your WordPress site is protected by these advanced security measures allows you to focus on building and maintaining your site without constant concern over potential security threats.

Summary

These advanced security features provide robust protection for your WordPress site, ensuring peace of mind and allowing you to focus on what truly matters: building and maintaining your site.

In addition to these new enhancements, we leverage tools like Google Cloud and Cloudflare for firewalling, DDoS protection, and free wildcard SSL.

Independent auditors have also confirmed compliance with System and Organization Controls (SOC) security standards. You can request access to Kinsta’s SOC 2 Type II report from our Trust report page.

Get started with our secure environment by finding the best web hosting plan.

Joel Olawanle Kinsta

Joel is a Frontend developer working at Kinsta as a Technical Editor. He is a passionate teacher with love for open source and has written over 300 technical articles majorly around JavaScript and it's frameworks.