If your team still uploads website files over SFTP with a username and password, you’re leaving the door ajar. Attackers constantly probe SSH/SFTP ports and reuse leaked credentials to force their way in. Switching to SSH key authentication closes off that easy route and reduces the risk of malware landing on your WordPress site — protecting SEO, customer trust and revenue.
What’s going on?
SFTP runs inside SSH. Every connection negotiates encryption, verifies the server, then authenticates the user. Passwords are the weak link: they’re guessable, phishable and often shared. SSH keys work differently — your device signs a one-time challenge with a private key that never leaves your machine. Even if someone sees the network traffic, they can’t reuse it to log in.
Why this matters to your business?
- Fewer break-ins: Public-key logins resist brute force and credential stuffing, cutting a common route for website malware.
- Faster recovery: If a key is compromised, you can revoke a single line from
authorized_keys without resetting everyone’s password.
- Compliance & audit: Clear ownership of keys helps demonstrate access control for policies and audits.
- Brand & SEO protection: Preventing malicious uploads helps avoid search-engine warnings, chargebacks and lost conversions.
Warning signs you should act
- Frequent failed SSH/SFTP logins from unknown locations.
- New files appear on the server that no one recognises.
- Backdoors or web shells detected during security monitoring.
- Multiple staff sharing one SFTP password or “deploy” account.
Prevention and resolution: a practical plan
1) Move to SSH keys (and turn off passwords)
- Generate keys on each device: Prefer
ed25519 keys with a passphrase (hardware-backed keys are even stronger).
- Authorise per-user access: Add only the public key to
~/.ssh/authorized_keys on the server.
- Disable password logins: Update
sshd_config to allow public-key auth only.
2) Limit what each account can do
- Least privilege: Give SFTP users access only to the folders they need. Consider chrooting (restricting) users to their upload directory.
- Turn off SSH features not required: Disable port forwarding and shell access for pure SFTP users.
3) Keep keys healthy
- Review quarterly: Remove old keys when people change roles or leave.
- Rotate and label: Store fingerprints, label keys (e.g. “Marketing-Laptop”), and remove any you don’t recognise.
- Plan for server key changes: Document host-key fingerprints so staff can safely approve updates after maintenance.
4) Watch the doors and the hallway
- Logging & alerts: Forward SSH logs to your SIEM and alert on repeated failures or new key additions.
- Intrusion prevention: Use tools like Fail2ban and set sensible connection limits to slow automated attacks.
- Security monitoring: Scan new uploads for web shells and backdoors to block malware before it’s live. Pair with a web application firewall (WAF) for virtual patching and exploit defence.
- Backups: Keep immutable, off-site backups of your site and upload areas for fast recovery.
Key takeaways
- Make SSH keys the default for SFTP; disable password logins.
- Prefer
ed25519 (or hardware keys) with passphrases for strong identity.
- Apply least privilege, restrict SFTP users, and disable unnecessary SSH features.
- Combine SFTP hardening with malware protection, security monitoring, a WAF and reliable backups for full-stack website security.
How matm can help?
- Managed WordPress, plugin & theme updates to reduce vulnerabilities and keep your site stable.
- Security monitoring and WAF setup to block attacks and spot suspicious changes quickly.
- Regular backups & fast site recovery so incidents don’t become outages.
- Malware removal and emergency response if something slips through.
If you’d like us to review your SFTP/SSH setup or move you to key-based access as part of wider website maintenance, email [email protected] or call 01952 883 526.
Based on research by Sucuri: Enhancing File Transfer Security with SSH Key Authentication.