Several weeks ago, I implemented nginx’s rate-limiting mechanism for all services hosted on my VPS. As a result, any non-GET request is subject to quite-low limits on how many requests can be made in a given timeframe. As I discussed further in “Rate limiting: another way I guard against brute-force logins,” I chose very-strict login limits as I’m the only person regularly authenticating with anything I host.
So far, there’s been only one unintended effect from these changes: VaultPress cannot reliably back up my site. Until recently, I hadn’t enabled any server-level access for VaultPress, which forced it to perform backups via HTTP requests triggered from WP Cron events. This approach was fine when requests weren’t limited, but VaultPress now finds itself blocked on every backup attempt.
While I could’ve added exceptions to my nginx configuration to exempt VaultPress from rate-limiting, there’s a better way to address this: provide the service with SFTP access. VaultPress has supported this and several other methods of direct access for as long as I can recall, but I’d previously never set any of these up for one reason: WordPress is but one of many things running on this server. While I have no reason to distrust VaultPress, I’m not willing to provide anything with widespread access to my VPS (even if my employer runs the service).
It was also imperative that I provide VaultPress with read-only access once it had a direct connection. The idea of providing any third-party with SFTP access was disconcerting enough on its own, so I wanted to limit the potential negative impacts. That paranoia, combined with how my WordPress network is set up, also made write access unnecessary: the restore feature wouldn’t work with my sites anyway.
To overcome the aforementioned issues, I resolved to set up read-only SFTP access for a new user. This user would only have access to a directory that mirrors the real WordPress webroot, which would both prove necessary given how I wanted to configure everything, and added an extra degree of security.
In great detail, I describe how I did so in “Restricted SFTP access in Debian.”