There are several ways of making a Wordpress installation more secure. One possibility is to ditch FTP and use a safe authentication, like SSH.
In Wordpress 4.1 there is embedded support for SSH authentication active - as long as the ssh2 php extension is loaded.
In Debian Wheezy this can be installed with the library libssh2-php:
apt-get install libssh2-php
After the installation, a restart of Apache activates the extension (which is defined in /etc/php5/conf.d/ssh2.ini):
service apache2 restart
However, no matter what I did, I couldn't get it to work in Wordpress.
I adapted file permissions, create a key pair with and without a password, verified manual ssh login with the key file, ... whatever I did, I always got this error:
Public and Private keys incorrect for wpuser
Where wpuser is the user I defined and which owns the wordpress folder.
There are several good howtos available which mention this error and which give potential resolutions:
But unfortunately, none of them could resolve the problem.
On the SSH layer I saw, that a connection came in, but the key authentication never happened. The connection was always terminated from the pecl side before the authentication could happen (in the preauth phase):
sshd: Connection from 220.127.116.11 port 36144
sshd: Found matching RSA key: aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:pp
sshd: Postponed publickey for wpuser from 18.104.22.168 port 36144 ssh2 [preauth]
sshd: Received disconnect from 22.214.171.124: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]
Could it be a bug in the Wordpress core? Or maybe is the libssh2-php version too old/buggy? After a frustrating and non-successful research about possible bugs, I tried it with an alternative, a plugin called "SSH SFTP Updater Support". And finally I got lucky!
Once I manually installed (unzipped and activated) the plugin, I was able to use the private/public key pair as authentication method. With or without password-protected private key, both setups worked.
In the SSH log, the successful authentication (and sftp download of a theme) is logged like this:
sshd: Accepted publickey for wpuser from 126.96.36.199 port 43559 ssh2
sshd: pam_unix(sshd:session): session opened for user wpuser by (uid=0)
sshd: subsystem request for sftp by user wpuser
sshd: Received disconnect from 188.8.131.52: 11:
sshd: pam_unix(sshd:session): session closed for user wpuser
Great WP plugin, well done and well working! Thanks to the author TerraFrost!