Modwest Blog

We're not quite ready to say "R.I.P. FTP", but it's true that FTP has an inherent security flaw: your username and password are passed in clear text from your computer to the server. This means that  malicious software on your computer could trivially capture your FTP credentials the next time you update your site.

We were alerted recently when a customer reported that some files in their website had been modified to include a strange looking IFRAME tag, which apparently loaded malicious code from a server in Russia every time a visitor arrived at the page. This prompted Google to temporarily list the customer's site as "Dangerous" in search results.

A quick check of the logs indicated the customer's account had been logged into via FTP from many IP addresses around the world, some of which uploaded the various malicious changes to the site. Our customer was able to securely upload a clean backup, and changed of course their password immediately.

We're not sure how the bad guys got ahold of this customer's FTP credentials, but if this was a case of spyware on the customer's PC capturing his cleartext username and password during a site update, then using an alternative to FTP could have helped avoid this painful event.

Two of the simplest alternatives are SFTP and SCP. Both protocols encrypt the connection from beginning to end, so cleartext "sniffers" can't read the traffic. SFTP support is often built in to FTP clients such as FileZilla, Cyberduck, and the built-in client of Dreamweaver, but may not be enabled by default. Check the help files for your favorite file upload program to learn how to enable SFTP.

WinSCP provides SCP and SFTP support, and a familiar Windows Explorer style interface, too.

There are no important differences between SFTP and SCP (both encrypt authentication and file transfers), so use whichever one your program supports. If your file upload program only supports old-fashioned FTP, it is time to upgrade.