My concern is not with Oxwall's intent, i fell fine with that.   My concern is regarding that this a unnecessary security risk that can be prevented.

dave,

Each time Oxwall connects to your site via ftp protocol with FTP credentials you inserted on update page and tries to create an empty folder in site root directory. If it fails, the script will return the error. So, make sure that FTP user you use is able to create folder/files in directory where Oxwall is installed. If this is and you are still unable to update, send PM to Alia with all login details. She will investigate it deeper.

kevinL.

Yes, exactly. Oxwall never stores FTP details in DB. It uses it only once each time a new plugin update/installation is performed. 

Just to follow up on this i did contact cPanel and this is what they said

You can create a virtual FTP account in cPanel via:

"cPanel >> Home >> Files >> FTP Accounts"

This is documented at:

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/FTPAccounts

Remember to login using the full FTP username (e.g. username@domain.com). Ensure you are attempting to access a directory that you have access to. For instance, you can not edit a file in the public_html directory if you only granted access to public_html/123.

Thank you.

Ok folks i got it, Den here is how its done. :)   Maybe one day this could be incuded in the standard Oxwall docs.

The question is:  How to upgrade your plugins without having to give out your main cPanel Username and Password?

The answer is:  (and this has been just tested by me and was successful)

1. Go into your Cpanel and create a new ftp account.

2. If this is for a main domian (top domain) then its easy and follow 2a below. 

If this is for a sub domain or add on domain then to go 3 below.

  2a.  (main/top domains only)

     You can pretty much take the defaults when setting up the ftp, you just have to remember to make sure the directory option in the ftp form shows public_html  (the default will show public_html/name  remove the name so that it is just public_html) (do not remove any slashes that may exist meaning if there is a trailing slash leave it)  

     Also when you are presented with the update form in oxwall you need to change local host to ftp.yoursite.com  and then enter the username as name@yoursite.com and then enter the  pw for that ftp account.

Example:   if an ftp account is named oxftp@yoursite.com   Then for the host change local host to ftp.yoursite.com and the the username will be oxftp@yoursite.cm and then the password for that ftp account, keep the port 21

Done..

3. (sub/addon domains only)   Add on domains are alittle trickier but not too bad.  The reason addon and subs are alitte trickier is that the ftp always has to go thru the main/top domain to get to your sub/addon.

In other words  if i have a main site called   main.com  and i have a add on domain called addon.com   then to build an ftp that will look at addon.com you need to log into main.com with the ftp and then tell it to look at addon.com.   Sounds complicated but not really.

  3a.  Go into your cPanel and set up an ftp account.   The name will default to be your main domain so you can name it something like  oxsub@your_main_domain.com   (you might be thinking wait i dont want itto be my main domain, i want it to show my sub/addon domain name), its ok just let it be and then set your password.  You will see how it works here in a few min.. :) 

IMPORTANT!  make sure in the directory option that you DO NOT take the default value which in this case would be ?????/public_html/oxsub.  Change that to be   ????/public_html/your_sub or addon dir name     

Do not remove or change any slashes at all, just change the location from the default to your sub or add on domain.  (if there is a trailing slash in the default then leave it)

3b. And then save the ftp.

3c.  This time when you are presented with the plugin update form from oxwall you will:

    1.  Change the host to ftp.your main/top domain.com

    2.  username will be  name@your main/top domain.com 

    3.  password will be the password for the ftp account

    4.  port is 21

Since this ftp account is set to look at your sub/addon domain via the directory option you chose, it will only allow access to that area.

Done! 

Final comments:

1. This allows you to update your oxwall plugins without having to give out your main Cpanel Username and Pass.

2.  This also limits access to that update to only one area and not all areas of your hosting.

3.  This helps you to run an effective ftp management and hosting access plan for your site.

Hope this helps.  :)

PS.  want to test this yourself to make sure.  Just set up your ftp in filezilla and make sure when you connect that you are in the right place.. :)

wow Aliia nice professional job on the doc.   Thank so much im sure that will help alot of people.   You got it right i did not see anything you missed.

1 typo though

1st paragraph - you server 

should be:  your server

Other than that, perfectly done... Great job yourself :)

I cannot believe that in 2014, a modern web application puts such a burden on its users.

My environment will absolutely not allow FTP to be enabled, as we have regulatory obligations that forbid applications that use insecure/plain-text authentication.

Is there any way of reliably updating plugins without enabling FTP?

Please don't respond by saying "Just enable FTP". It's never, ever going to happen.

I suppose you could just install the new version directly every time via cPanel.

1. Download the latest plugin's version from Oxwall Store;
2. Unpack plugin's archive;
3. Upload unpacked plugin's folder into ow_plugins/ directory (overwrite existing old plugin);
4. Login to Admin Panel and click “Update PLugin DB” button

IMPORTANT NOTE: DON'T UPDATE YOUR PLUGINS TO 1.6 UNTIL YOU  UPDATE YOUR CORE TO 1.6