Restrict FTP Access to a single WordPress Site

I have a Ubuntu 22.04 droplet with several WordPress sites. One of them requires outside technical support with FTP access.

I am able set up a user account for “techsupport” with password authentication, which can be used for FTP access to the entire droplet. But I want to restrict FTP access for this user to a single site, e.g. “/var/www/”

I have tried, unsuccessfully to adapt these instructions to my situation:

By manipulating ownerships I am able to keep the tech support user out of other sites but not the rest of the file structure:

sudo chown -R techsupport:www-data /var/www/

But so far I am unable to do what I really want to do, which is to restrict access for this user to this single site, while still permitting it to function as a WordPress site, and preventing access to the rest of the file structure.

Any ideas?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
April 21, 2024
Accepted Answer


So first, you need to make the home directory of the User to be /var/www/

Set the directory structure and permissions: The root of the chroot directory needs to be owned by root and not writable by other users.

sudo mkdir -p /var/www/
sudo chown root:root /var/www
sudo chown root:root /var/www/
sudo chmod 755 /var/www
sudo chmod 755 /var/www/

Create a directory inside /var/www/ where techsupport can write:

sudo mkdir /var/www/
sudo chown techsupport:www-data /var/www/
sudo chmod 775 /var/www/

Adjust the home directory of techsupport: This is necessary for the chroot to work correctly.

sudo usermod -d /var/www/ techsupport
Site Moderator
Site Moderator badge
April 22, 2024

Heya, @lflier

Yes this is doable and not that hard or time consuming to set as well.

First, create a new group specifically for this WordPress site. Let’s call it “wordpress_only”.

sudo groupadd wordpress_only

Add the “techsupport” User to the New Group:**

sudo usermod -aG wordpress_only techsupport

Change the group ownership of the WordPress site directory to “wordpress_only” and restrict permissions to allow only the owner (techsupport user) and the group members (wordpress_only group) to access it.

sudo chown -R techsupport:wordpress_only /var/www/ sudo chmod -R 750 /var/www/

For WordPress to function correctly, you also need to ensure that the web server (usually www-data) has appropriate permissions to access the files within the WordPress directory.

sudo chown -R www-data:www-data /var/www/

I assume you’re using ProFTPD. You’ll need to configure it to chroot the “techsupport” user to the WordPress site directory. Locate the ProFTPD configuration file, usually located at /etc/proftpd/proftpd.conf, and add or modify the following lines:

DefaultRoot /var/www/

After making changes to the ProFTPD configuration, restart the ProFTPD service to apply the changes.

sudo systemctl restart proftpd

With that done, the “techsupport” user should only have access to the specified WordPress site directory and its subdirectories. They won’t be able to navigate outside of this directory or access other WordPress sites or system files.

Hope that this helps!

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel