Never, Ever Use FTP For Anything Ever Again
Do you use FTP to upload files to your website? If so, Topher, our WordPress teacher, has some advice for you.
In this video, he’s going to explain why you should never, ever, ever use FTP for anything ever again.
Take Topher’s advice. Keep your site safe.
This video is part of our complete WordPress Security training class.
Author
-
Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.
View all posts
Good Point Steve and Topher
I thought I was setup with SFTP but apparently not. Having trouble pasting Private Key file on my computer into a keyfile (using NotePad). FileZilla on my Windows Machine complains the file is in the wrong format and is protected for some reason. Guess I will need to “chat” with host provider.
Question: When uploading and downloading files from File Manager inside the cPanel, is this using FTP or SFTP? Should the File Manager in the cPanel NOT be used even on smaller files?
@CharlieSasser, per cPanel:
“We strongly recommend that you
log in over an encrypted SSL connection. An encrypted SSL connection
will not transmit your username and password in plain text over the
Internet.”
You should always login to cPanel on port 2083, which
will add HTTPS in front of your server’s domain (Example:
https://server.domain.tld:2083). Of course, this requires you install an
SSL certificate on your server for authentication, but you need that
anyway (mail over SSL or TLS, SFTP, etc.). You should, also, be using
the cPanel session token (Example:
https://server.domain.tld:2083/cpsess1234567890/). If you’ve done this,
cPanel’s File Manager is just as secure as any of the other methods
Topher describes.
More info: [url=https://documentation.cpanel.net/pages/viewpage.action?pageId=1769500]https://documentation.cpane…[/url]
@CharlieSasser, per cPanel:
“We strongly recommend that you log in over an encrypted SSL connection. An encrypted SSL connection will not transmit your username and password in plain text over the Internet.”
You should always login to cPanel on port 2083, which will add HTTPS in front of your server’s domain (Example: https://server.domain.tld:2083). Of course, this requires you install an SSL certificate on your server for authentication, but you need that anyway (mail over SSL or TLS, SFTP, etc.). You should, also, be using the cPanel session token (Example: https://server.domain.tld:2083/cpsess1234567890/). If you’ve done this, cPanel’s File Manager is just as secure as any of the other methods Topher describes.
More info: [url=https://documentation.cpanel.net/pages/viewpage.action?pageId=1769500]https://documentation.cpane…[/url]
So SiteGround is my current host and it is an SSL connection to cPanel via port 2083 by default. i.e. [url=https://xxxxxxx.sgcpanel.com]https://xxxxxxx.sgcpanel.com[/url]:2083 . I know enough to be dangerous but I have always heard that it is less “reliable” to use cPanel FileManager to do uploads and downloads however I still use it for smaller files but for backup files or transferring a site in a zip file I have always thought it was more “reliable” to transfer these large files via FTP or SFTP. Any Comments?
By nature SFTP/FTP are better than HTTPS/HTTP for large file transfers because that is what they were designed for (File Transfer Protocol vs. HyperText Transfer Protocol). It sounds like you are already using best practices.
@YaegerDesign Sometimes I get lucky. Looks like you live close to where I grew up (Chattanooga). Actually my wife and kids say I still haven’t grown up. 🙂 Thanks for reply.
FileZilla has the sftp option, but is asking for private key files or numbers, and something about Putty. What is that all about, and how or where do I get private keys? And if the only place that I ever use ftp is at home on my secure network, do I need to worry about this?
I’m certainly no expert but here is how I did it for FileZilla. I’m sure it will be different on every host. This is not all the detail but may be helpful.
First I searched on my Host ([url=http://Siteground.com]Siteground.com[/url]) for instructions. The instructions were detailed but didn’t tell everything I needed. Basically you have to create a pair of private keys so that your computer and the host can talk via a secure SSH connection with encreption.
To setup the key you will need to know your computer’s IP on the internet (not your IP on your home network). You can go to [url=http://www.whatismyip.com/]http://www.whatismyip.com/[/url] and easily find this. You will also need to know the name of the actual web host your website is on (with 1000s of others if you are on a shared host). You will need your host account name (probably a domain name), username, and password for the account.
What is a little confusing is that you are not connecting a regular ftp to say [url=http://ftp.yourdomainname.com]ftp.yourdomainname.com[/url] etc. but directly to your web host. In my case it was something like [url=http://xyz.siteground.biz]http://xyz.siteground.biz[/url]. (note this is not the nameserver but the actual web host where your site is running).
At Siteground I went to cPanel and there was an “Advanced” grouping of icons for “SSH/Shell Access” Once you setup the key for your IP there is a Private Key configuration file that is generate with about 20 lines or so of code. Take the contents and copy and paste this into a text file on your local machine and save with a extension of .ppk
When you go to Filezilla to setup the connection it will ask for the location of the private key file on your local computer. When you click ok to add it will say it is not the right format (I think Filezilla is expecting the file in Putty format on a PC but if you ignore and proceed it will ask you to supply the password for the file, which is the password you use to login into your host account) It will then generate the appropriate Putty file it needs and let you save it. My understanding is that Putty is a windows SSH client. My guess is that Filezilla has a part of this client embedded in its application so you do not need to install Putty to create the private key file on your machine.
Sorry for the long reply. Who is your host? I actually wonder if a short video on this would help. Maybe there are some on YouTube for your host.
PS: I would use SFTP even from home. You can also add other IPs to the Private Key File by going back to cPanel. If you don’t have a fixed IP at home via you ISP (ATT, Comcast, Cable, etc) you will need to see if it has changed if it stops working..
The danger of FTP presented in the video is really about the danger of public, unencrypted wifi networks. If you are logging into your account on any site (like the Joomla admin) where your credentials will be passed in the clear, using a public, unencrypted network connection is a bad idea.