Is it safe to give wordpress SSH access for updates?

Question

In ubuntu I have the /var/www/wordpress folder owned by a user. In order to update/upgrade wordpress some folders need to be owned by www-data.

I am kind of confused but from what I've read that may pose a security risk. So I keep all the files owned by the user and when I need to update, I log to ssh (using pubkey), do a chown -R www-data /var/www/wordpress and after update I chown -R user:user /var/www/wordpress. The trouble is that I cannot auto-update wordpress and have to do all this manually.

I found about Enabling SSH Upgrade Access and can't figure out if this is safe security wise. Giving wordpress access to public and privatekey would compromise it?

define( 'FTP_PUBKEY', '/home/username/.ssh/id_rsa.pub' );
define( 'FTP_PRIKEY', '/home/username/.ssh/id_rsa' );

Answer 1

It is not safe to give the WordPress an SSH access for updates. and also if the website get hacked the hacker could get access to modify your php files and add new ones. Whatever you do if the website get hacked you gonna face files permission problems but you can protect from thus hacks by telling apache to not execute any php file that go under wp-content/uploads

What you can try to do is the following sudo chown -R user:www-data /var/www/wordpress and add this line define(‘FSMETHOD’, 'direct); in your wp-config.php that would allow WordPress to autoupdate the plugins/themes/core without using the SSH access.

You can check more about my answer here