Things you will need

1. Your domain name
2. Your FTP username and password. These differ from your client centre username and password.
3. A general understanding of where things are located on your computer, such as where your user account folder is located

If you are working on the domain that we created automatically for you when you signed up with us, the FTP username and password can be found in the Web Hosting Welcome email sent when you first signed up with us. It can also be seen in your client centre by selecting “My Services” in the menu, then clicking the manage button beside your hosting account. You may need to hover your cursor over the password to see the full credentials.

If you added the domain to Plesk yourself, then you would have been asked to enter in the username and password for the domain – these are the FTP credentials you will need.

If you forget your FTP username and password and cannot find them, please see our KB article on how to reset your FTP login details.

Intro to FTP and SFTP

File Transfer Protocol (FTP) is what you use to upload your site content to your web server. If you made use of our application installer, then you will still need to know how to use FTP to make changes to your configuration, upload plugins or modules, and adjust other parts of your site manually. Thus it is important to understand the basics of FTP for all aspects of creating and maintaining your website.

SFTP simply adds “Secured” or “SSH” (Secure SHell) to the front of File Transfer Protocol. Using SFTP is highly recommended in all cases where you wish to transfer files due to the added security. In order to use SFTP with our servers, you must have “Shell Access” enabled on your account. We enable basic chrooted shell access on all our accounts to ensure you have secure access to your server. To verify that Shell Access is enabled for the domain you will be working on, do the following:

1. Login to the client centre, choose My Services, click manage beside the hosting account you will be working on, then choose “Login to Plesk”
2. Choose “Web Hosting Settings”
3. If you have more than one domain, select the domain you will be working on in the list. If you have just one domain, ignore this step
4. Under the “Account Preferences” section, look for “Shell access to server with FTP user’s credentials” and ensure it is set to anything that is not “Forbidden”

If you are unable to change this option, please open a support ticket referencing this guide and explaining what you are trying to do so we can correct your permissions.

Where to Find FileZilla Client

FileZilla is a great free FTP and SFTP capable application for Mac, Windows and Linux. It is available here for download. Ensure you download the Client application, not the Server. For Mac OS X there are better applications in terms of user interface design, although they are not free. More on this later.

Download and install FileZilla now to get started with it.

Configuring FileZilla to be Less Confusing

There are a few user interface elements that are bound to do nothing but confuse you. To avoid possible confusion, choose the View menu, then uncheck “Local Directory Tree” as well as “Remote Directory Tree”. Also uncheck “Message Log” (also under the View menu). You may need this for troubleshooting, so remember where it is.

Connecting with FileZilla

At the very top of the window, you will see fields for Host, Username, Password, and Port. These are useful for one-time connections, but if you want FileZilla to remember your settings, then it would be better to save them as a bookmark so you don’t have to enter the details each time you open the application. The first button on the left in the toolbar is the Site Manager – this is how you save bookmarks to FileZilla. You can also find this under the File menu (File > Site Manager).

Open the Site Manager and click the New Site button. It will immediately request a site name – you can make this whatever you wish. On the right, enter your domain name as the hostname with ftp prefixed:

ftp.yourdomain.com

Enter 22 for the Port (for SFTP) or 21 for normal FTP. SFTP is highly recommended. If using SFTP, change the Server Type to SFTP SSH File Transfer Protocol. Under Logon Type, choose Normal and enter your FTP/SFTP username and password.

If you are using regular FTP and not SFTP, make sure you visit the Transfer Settings tab and choose “Passive” for the Transfer Mode setting.

Click Connect.

Understanding the FileZilla User Interface

FileZilla is really easy once you get the hang of it. Here’s the general idea:

Left Side: Local Computer

On the left is your local computer’s directory structure. By default it’s probably showing c:\ on Windows and / (also called root) on OS X or Linux. You will want to navigate to wherever your site’s files are located on your computer. If you used our application installer and don’t yet have your site saved on your local computer, then you probably want to navigate to your Documents or Sites folder and create a new directory where you will store your website.

On Windows Vista and 7, Linux, or Mac OS X, I suggest navigating to the Users folder, then your username, then the folder called Sites (if Sites doesn’t exist yet, why not create it?). Within the Sites folder, create a new folder by the name of your website. You can use this folder to store all your website content.

Right Side: Remote Server

Now that you have connected successfully to your server, on the right side you should see a list of directories like:

anon_ftp
cgi-bin
conf
error_docs
httpdocs
httpsdocs
pd
private
statistics
subdomains
web_users

Although they each have their purpose, most of these can be ignored. The folder where all of your web content is stored is under the httpdocs folder. Don’t mistake this for the httpsdocs folder – this folder is for storing the web site content that is accessible when visiting https://yourdomain.com. In other words it’s for secure content only and only when Plesk is not set to use the same folder for secure and non-secure content.

Transferring Content

To upload your site content, simply drag and drop the items you wish to upload from the left pane to the right. The opposite is true to download – drag the items you wish to download from the right to the left. While the files are downloading or uploading, they will appear in the transfers pane at the bottom of the window. You will also be notified of any failures here.

Troubleshooting

If you cannot connect or cannot upload or download files, the reason why will be displayed in the message log. If you followed the direction to hide this above, then you will need to show it again to view the log. Go to the View menu and choose “Message Log” if it us unchecked. This puts the message log just below the quick connection details at the top of the window. You can see any error messages here – normally at the bottom of the pane.

If you cannot resolve the problem described by the error, please copy and paste the error you see in the message log into a support ticket so we can look into it. Please also include your connection details, including the hostname, username and password so we can reproduce the problem.

Alternative Applications

Although different applications have different user interfaces, all the core functionality described here remains the same. For Mac OS X there are three great alternative applications, one free and two paid. The alternate free application is called Cyberduck and is available here. Cyberduck is also available for Windows now.

Yet another alternative, Flow – $25 USD, makes your FTP/SFTP connections look like Finder windows for simpler drag and drop uploads and downloads.

The third alternative, and my SFTP and FTP application of choice is called Transmit – $34 USD and is made by the folks over at Panic software. Transmit has been around for many many years for the Mac and its latest incarnation, Transmit 4, is a fantastic application. If you intend to be working with file transfers regularly and you’re using a Mac, I highly suggest purchasing this software. The user interface is second to none and the featureset is extremely powerful. For example, Transmit has the ability to easily and simply mount one of your SFTP connections directly in to Finder so that uploads and downloads really are as simple as drag and drop in an already familiar manner. This is all managed through a cute menubar icon in the image of Transmit’s truck icon.

Transmit also has the ability to synchronize folders, making mirroring changes uploaded by others to the server and changes you made locally a breeze.

If you have a suggestions for a great FTP / SFTP application, please let us know! Use the comments below to leave your message.

Related posts:

1. Choosing a Domain Name: Branding, EMD, TLD Debate There is rarely a day that passes that we don’t...
2. How to get a beautiful and powerful WordPress powered website in less than an hour This guide will show you how to get your WordPress...

In a recent Knowledgebase Article (Securing your WordPress Login), I mentioned a few simple steps that can greatly improve the security of your WordPress based website or blog. You can take similar steps to ensure that your webmail access remains secured so prying eyes cannot see your username, password or any of the email you are accessing.

How to fix webmail for secure access

Connecting to webmail securely is really a simple process. Just make sure you’re using the httpS prefix before logging in. For example, with Web Savers, we use https://webmail.websavers.ca rather than http://www.websavers.ca to access our email. Make sure you update your bookmarks!

The warning

You will likely see a security warning, since the certificate we’re using to encrypt the data matches our server name and not your website name. This is OK and nothing to be concerned about – the connection is still secure. Your browser is simply telling you that there’s a mismatch – you can add an exception or choose to accept it anyway and all will be well.

Congratulations, you’ve just secured your webmail connection!

Limitations

Although you’ve just greatly improved the security of your webmail connection, there are a few limitations to this. The first is based on the security warning mentioned above. That warning appears because we’re using a certificate for our entire server when the browser is looking for one that matches your hostname exactly. As an example, with webmail.websavers.ca, the browser wants a certificate that says it’s specifically made for ‘webmail.websavers.ca’, which we are not using.

I am now accustomed to accepting a mismatched certificate because that’s what I’ve been told to do. Let’s now say I go downtown to a local coffee shop and connect to someone’s open network nearby. Let’s pretend this owner of this wireless hotspot is trying to get my username and password. The owner discovers I use https://webmail.websavers.ca regularly by monitoring the traffic, and sets up his own internal redirect (perhaps via DNS) that takes all of my requests for webmail.websavers.ca and forwards them to his own internal dummy webpage that looks exactly like the one at the real webmail.websavers.ca. He does not have a matching SSL certificate, but since I’m used to not having a match anyway, I am likely to accept it! Now that I’m actually communicating with his ‘dummy’ server, he is able to see all my entered passwords and usernames and thus has effectively stolen my info.

How do I fix this?

Even better webmail security

By having your own virtual private server, we can apply an SSL certificate to your entire webmail application that matches your domain name. If I get a dedicated virtual server for just running websavers.ca, then I can install a certificate generated specifically for webmail.websavers.ca. This way whenever I visit the webmail site, I always get a matching certificate. If I’m ever connected to a suspicious wireless hotspot, and I suddenly see a mismatch in certificates, then I know someone is trying to trick me. Problem solved!

Cheaper alternative? Yep!

Whenever you connect, check out the name on the certificate. If it says it’s owned by Web Savers or ServInt (our datacentre providers) then you can be sure you’re connecting to the correct website.

Questions about webmail security? Head on over to our contact page or submit a comment below.

No related posts.

When you upload content via FTP you use your personally selected username and password combination. The username you selected also becomes the owner of the files you upload. Similarly, when you attempt to delete files uploaded through an application like WordPress, since they are not owned by your account, you are unable to delete them. The apache user has control over the files.

Although you could get the root user to change the ownership or permissions of the files to allow your account access, this requires creating a support ticket every time you run into the problem. Rather than fixing the problem reactively, we suggest fixing it proactively; ensure that files uploaded through WordPress are already owned by your personal user account rather than apache.

How do you do this? FastCGI!

Within Plesk under Web Hosting Settings, there is an option to run PHP through FastCGI. By changing this setting from Apache Module to FastCGI, you are changing the user that PHP files are accessed with.

Since all of your PHP files will be executed by your own personal username, all files uploaded through your PHP application will also be owned by your user account. No more apache account in the mix and no more non-deletable files!

One additional benefit is that your files are not owned by the apache user any longer. You might remember that it was beneficial, for security reasons, to have your files not writable by users other than apache, but that only applies when you are forced to upload them under that user account. Since the apache user would be the same for all files uploaded across all websites hosted on the same server, if that account were hacked, then the hacker would have access to all files created by it (if they knew where to look). Now that your files are being uploaded under your personal user account, no other website can affect the security of your own files (assuming permissions are also set appropriately – ie: no ’777′).

If you have any questions about this process or believe some of information provided here could be clearer, please contact us with your suggestions – we would love to hear from you!

Related posts:

1. Setting Up Your Mail Account in Mozilla Thunderbird This guide shows how to configure your mail account in...

How and why do websites get defaced, hacked, or corrupted?

Most sites are compromised by known vulnerabilities in outdated web-based scripts and applications. Simply put, this means if you run outdated versions of popular software such as message boards, blogging software, or content management systems, your website could be at risk. Other ways a website is commonly compromised is due to insecure or stolen passwords and incorrect file permissions.

Why would anyone want to hack my website? I don’t store any personal or financial information on my site so I shouldn’t worry about this right? Many people feel that because they think no one wants to compromise their website they don’t need to worry about its security. Stop it.

Although they may not want any of the information on your site, most of the time your site will be used to spread viruses, spyware, or deceive your visitors into going to sites with them. Most compromised sites we see have malicious code injected into the files in order to do just this.

Here are a few things you can do today to make sure your website is better protected.

Start locally

Make sure your personal computer is secure. If you use an FTP program to upload content to your website, chances are that you have the username and password saved within it. Depending on how that program stores this data it is possible to have that info stolen if your computer has spyware or a virus.

We recommend installing a virus scanner and regularly scanning for spyware along with being more cautious of where you are surfing online.

Update and patch your third-party applications

Most website security issues can be avoided by being proactive with updates and security fixes issued by the authors of your applications.

Many popular applications now have a one-click update that takes less than 30 seconds to perform. It is recommend that you backup your data before upgrading which can usually be done through your Control Panel.

If you stop using an application make sure you remove it. If you’ve switched from WordPress to Joomla for your content management, make sure you remove the WordPress installation as it can be forgotten about and left outdated. Even though you may not be using it, it can still be accessed.

Remember that updates, patches, and new releases are released for a reason. Staying on top of these updates may seem like an inconvenience at the time, but it will save you from a lot of headaches and issues in the long run.

Checking file permissions

Allowing everyone to read, write, and execute files on your website is a huge security issue. In a web-based environment you typically will want a “755″ permission setting, or full access to the file owner, and only read/execute access for everyone else.

Some applications will ask you to set a permission to “777″ or full access to everyone. Make sure you are running the most up-to-date version of this application before installing. Also, you may want to try it with a 755 as some hosting environments will for this.

Secure your login areas

It is best to access the administration area of any application over SSL (https://). This can be done by making sure it is placed in a ssl-based directory.

In addition to this, it is possible to limit the admin directory to only specific IP addresses. This can be done by placing the following information into a .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName AdminAreaAuth
AuthType Basic
order deny,allow
deny from all
# allow home IP address
allow from 99.x.x.x
# allow work IP address
allow from 142.x.x.x
# allow vacation home IP address
allow from 24.x.x.x

For example, if you wanted to secure the admin area of your WordPress installation, you would place this .htaccess file in your /wp-admin/ directory. It will deny all connections that are not made from one of those predefined IP addresses.

—
Hope this helps. Interested in hearing more on a specific topic? Let us know!

No related posts.