Using FTP on Your Joomla Website Can Result in Getting It Hacked

If you’re using FTP to upload files to your Joomla websites, then, you probably know that you’re not alone. The vast majority of Joomla websites allow for FTP access. What you probably do not know, is that you’re compromising the security of your Joomla website when you’re using FTP.

Why is that?

Well, because FTP sends the username and password for authentication (as well as every other request) in clear text, which means that anyone (or anything) eavesdropping on your connection would be able to steal those credentials and then probably use FTP to hack your website.

Now, the million dollar question is, can anyone eavesdrop on your connection?

The answer is no. Not anyone would be able to eavesdrop on your connection and read the FTP credentials when you send them to the server; it is only those people who are on the same network that have the ability to eavesdrop on your connection. But, and there’s always a but, if you have a machine infected with a trojan virus, then that virus can spy on your connection, and then send its findings home, e.g. to the person who infected the machine with the virus in the first place. That person would then, of course, use those credentials to hack your website.

So, what is a better alternative?

Well, SFTP, of course! SFTP stands for Secure File Transfer Protocol, which is the same concept as FTP, but instead of sending the commands to the server as raw text, it sends them as encrypted, making it extremely hard for anyone (or, again, anything) eavesdropping on the connection to tell what the login credentials are.

Is SFTP 100% secure?

Unfortunately, it is not, because if the machine establishing the SFTP connection has a virus that monitors keystrokes, then it wouldn’t be that hard for that virus to guess what kind of information is being transmitted to the server, and then sends that information “home” (e.g. to the hacker). However, SFTP remains far superior to FTP when it comes to security, since FTP is not secure at all.

Do all servers support SFTP by default?

Unfortunately, not. Try using the FTP username and password for your SFTP connection to check if you’re able to use SFTP. If you can’t, then you should tell your hosting company to ensure that the sshd process is running (in other words, you’re able to connect through ssh), and that your FTP username and password can also connect through SSH.

Is SFTP slower than FTP?

Definitely. This is because the SFTP protocol has to encrypt the data prior to sending it to the server. There’s also an additional network overhead since the transfers are done through SSH. SFTP is about 60% slower than FTP. However, speed shouldn’t be an issue unless you’re transferring large files.

Should the FTP service be stopped once you’re using SFTP?

Not necessarily, but it’s better to shut it down so that no one on your team uses it and compromises the security of your website.

If you’re having problems enabling SFTP on your Joomla website, then please contact us. We’ll be extremely happy to help. Note that our very affordable fees apply!

No comments yet.

Leave a comment