FTP vs SFTP – the real truth about website security

FTP vs SFTP – the real truth about website security

I get real tired of people reading something online and then thinking it’s the real truth. Of course, this blog post falls into that category too, but I will explain.

Over this past weekend I read an article about best practices for making your website more secure. It was a great article about some general tasks to perform to keep your website secure. However, the comment that followed the article suggested the use of SFTP instead of FTP.

I was in a rage.

If you don’t already know, FTP is a protocol. It’s File Transfer Protocol. It’s how you would upload files to your hosting account or download files from your hosting account. It’s used for many other things, but that is probably how you would use it. FileZilla is a popular “FTP” program to put it in perspective.

The problem with FTP, as many people see it, is that it transmits your username, password and all data in plain text. If you’re using a public wifi connection at a coffee shop or Internet cafe somewhere then it’s possible that your transmission could be “sniffed” and your information copied. Of course logging into your WordPress site could also be “sniffed” and I’m certain many of you do that.

SFTP is Secured File Transfer Protocol. It encrypts the username, password and all data so it cannot be “sniffed”. Sounds like a good thing right?

First, let me explain that if you’re using your computer from home or the office then hackers would have to install a sniffer either at your home or office or somewhere between where you’re connecting from and where you’re connecting to. This is a highly unlikely set of circumstances.

We’ve seen too many websites infected even when the hosting provider only provides SFTP not FTP.


Most of the infected websites we’ve seen where files were transferred to the hosting account is through a password stealing trojan on the local computer of someone using SFTP. The login credentials aren’t sniffed, they’re stolen!

In addition, we’ve helped the customer scan their local computer for malware and it’s been found and removed. This not only saved their website from being re-infected but also helped alert them to changing all their login credentials.

If SFTP was the more secure method, why don’t WordPress, Joomla, Magento and other common platforms require it for logging in? You’re more likely to login to your WordPress site from an unsecured internet connection than you are FTP.

The real problem I have with SFTP is that most hosting providers only allow one SFTP user – the main account. There, if you have an SEO company helping you and web development company, then everyone gets full access to your hosting account. If you site is infected through stolen SFTP login credentials, with only one user available and everyone sharing that one account, you have no idea who has the infected local computer because all the log entries will show that one account.

However, with FTP, you can create multiple accounts, one for each company. Then if your hosting account is infected and it’s determined to be through FTP, a simple look in the logs will show which account was used by the hackers. You can delete that account or change the password and not interrupt the work of anyone else.

This is not possible if you have a hosting provider that only allows one SFTP account.