Use SFTP For Flip Sake
If you do only ONE thing to secure your site, then please consult with your hosting provider and see if you can access your site to upload and download files via SFTP rather than FTP.
What is SFTP
SFTP stands for secure file transfer protocol, it is a method of transferring files to and from your site in a secure manner. The link between your local machine and the remote hosting computer is encrypted so nothing can be intercepted and used to hack your site.
Think about credit card transactions in a browser, you use the secure http protocol https, you will see a small lock logo which tells you your credit card details cannot be captured, it is the same thing with SFTP at a file level.
Why Is There A Problem with FTP
Using FTP all of your login information is sent in “the clear” to your site, this means your login ID and password are sent over the internet in plain text format that can be intercepted and understood.
It is a fairly easy task for hackers to “sniff” packets of data going across the internet in the clear, if they setup a filter looking for particular strings, for example the ftp login command, they can harvest login information and gain access to your site.
How To Use SFTP
Your first port of call will be your hosting provider. Check out their documentation to see if you can switch from ftp to sftp, it is a very poor company that does not care enough about it’s customers security to provide this small security courtesy.
How you change from FTP to SFTP will depend upon the ftp client you use. I like Filezilla, and all I need to do is prefix a host name with sftp://, please check the documentation of the tool you use.
When you connect for the first time your FTP client will ask you to accept a key from the remote machine, this is used in the encryption process
You may find you file uploads and downloads ar ea little slower, this will be caused by the overhead of encrypting the traffic, but this is a small price to pay for security.
VIDEO: See how easy it is to capture a password
A while back I create a screen cast video of me capturing login details from an ftp session to show you how easy it is to capture this data.