I just got a shared hosting space with GoDaddy, and they sent an e-mail with all of this information including FTP Account Information below…
Each hosting account comes with a File Transfer Protocol (FTP) account and personal FTP site for your use. Your FTP site is basically a directory (folder) on our Web Server where your Web pages reside. When people visit your site, they are viewing the Web pages stored in your FTP directory. To transfer files to your FTP directory, you will need the following account information.
to upload files to your ftp account you will also need a userID and password to log in. They should have sent you your ftp userID/password as well at some stage.
when you log in the first time, change your password.
I would think that is a BAD design for a “production” site.
For now, I guess my shared hosting account is okay, but if my site was live I would NOT think you would want to set things up on your own server that way…
I’m not a systems admin guy so I don’t know what the security implications are with that type of set up.
But since I still have to enter a userid and password to log in to my ftp account, I sleep easy at night.
I’m happy with my web hosting provider and I routinely keep my own local backups of my website and the website’s of my clients just in case something goes awry as a result of hacking or whatever.
I would think that is a BAD design for a “production” site
But how else would you do it? Another domain name isn’t feasible in hosted environments. Many servers operate on the url provided by the browser to determine where files/requests go on the server disk. Your server can easily be scanned to see if FTP is active on the server.
So as mentioned you have to primarily rely on your login credentials. FTPS/SFTP and other secure FTP are better than just plain-jane FTP.
More importantly, keep your windows workstation secure and clean. A large number of FTP hacks are from trojans on a user workstation harvesting FTP credentials stored in your FTP client program. This is a much greater risk IMHO.
I have a User Control Panel that I log in to to access my hosting space.
I would think that is the only way you should be able to upload files.
By having an FTP URL it seems like a wicked back-door to your whole root directory.
Yeah you still need a Username and Password, but it just seems to me like that “public access point” should be locked down or erased.
So as mentioned you have to primarily rely on your login credentials. FTPS/SFTP and other secure FTP are better than just plain-jane FTP.
More importantly, keep your windows workstation secure and clean. A large number of FTP hacks are from trojans on a user workstation harvesting FTP credentials stored in your FTP client program. This is a much greater risk IMHO.
I’m just worried that this an obvious plave people can go to - ftp://MyDomain.com - to try and hack into my web root.
Both the user control panel and FTP are equally accessible - all someone needs to access your site either way it the username and password.
Anyway using (S)FTP is way more efficient for uploading the files than the control panel option.
If you are really worried about it then have a main domain you use just for FTP and set up your site as an add-on domain. That way the FTP account is not on the same domain as the site.
For big shared hosts, it s a compromise between security and managability. If you were running something that needed more security, you’d probably want to be on a beefier platform than godaddy shared hosting. Most folks can barely handle the concept of ftping up files to a website, nevermind jumping domains and folders.
We generally don’t allow FTP except for a few designated scenarios, such as with a second authentication factor like a VPN.
It has less to do with the address (ftp.domain.etc) than it has to do with the port being used.
A webserver expects to be open on port 80, otherwise you wouldn’t be served pages. Its similar with ftp, you connect on a standard port 21, or sftp on 22, or pop3 on 110.
The address is not a secret, its the port that matters. For security purposes you can change the port assignments, but unless you are running a dedicated machine you can change, or port forward these to something more secure.
Make sure your username/password combinations are secure and limit your connections via IP resolve.