MENU

FTP is hack prone


Recently I was moving a MODx website from one hosting to another. I was given the “master” account that is used for accessing the Cpanel and (S)FTP. I went ahead and created an additional FTP account. To my surprise, it wouldn’t connect via SFTP, only FTP. I sent a ticket to the hosting and to my absolute surprise they told me that “...additional FTP accounts cannot use SFTP, just FTP...If you need to transfer files with SFTP then use the master account”

 

FTP is insecure and the industry has already shifted to using SFTP for transferring files. If your hosting tells you what they told me that you can’t use SFTP for transfer to any account then switch servers immediately!

 

In the case of this hosting, it is okay that at least they allow one account for SFTP. However, if you are not too knowledgeable in servers you can easily ignore this and continue making accounts. I advice every webmaster to check with their hostings immediately and make sure that all file transfer is done via SFTP. It may sound mundane, but especially if you have been using a hosting for a long time (i.e. before the SFTP revolution) you may still be using FTP which is insecure.

 

Another thing worth checking is the number of FTP accounts on your system. Even if they connect via SFTP,  delete the accounts no longer used (for example, accounts of freelancers and employees longer working for you test ones, etc. ) The more FTP accounts there are, the easier it is to brute-force the system and a hack to occur. I advise you to do that right now. As Professor Sunstein noted:

 

“ People tend to have a great deal on their minds, and when they do not engage in certain conduct (for example, paying bills, taking medicines, or making a doctor’s appointment), the reason might be some combination of inertia, procrastination, competing obligations, and simple forgetfulness. “

 

FTP isn’t encrypted, thus vulnerable to multiple attacks, from brute-force and password sniffing to man-in-the-middle attacks. SFTP on the other hand is encrypted and runs in a system much different than FTP (ignoring the similar names they are unique)