The Espionage

 As I mentioned in my previous post (Securing Your Web Hosting Account) the File Transfer Protocol (FTP) is not secure by itself.  FTP usernames and passwords are transmitted in clear text.  That means that your FTP username and password can be monitored and stolen over the internet.  There are some exceptions.  If you are underneath a virtual private network (VPN) then your credentials are encrypted by the VPN.  Regardless, it is a good idea to use Secure FTP (SFTP) to upload and download your files when possible.  In this post I’m going to show you how to set up WinSCP securely.

It must be noted that not all web hosts offer secure ftp capabilities.  Your web hosting account must enable SSH access.  Three web hosts that provide SSH access are Midphase, Host Monster and Host Gator.

WinSCP

WinSCP is an outstanding SFTP Client (for windows) that can be downloaded for free at http://www.winscp.com/.  Download WinSCP and then launch the application.  You will see a button labeled “New” when you launch WinSCP.  Click on that button to set up a new secure ftp connection.  Here is a screenshot of the new connection screen:

A typical host name is something like ftp.yourwebsite.com. If your ip is dedicated to your domain name then you can simply enter the ip address as the host name.  The most important selections in this screenshot are the port and the protocol.   The port should be set to 22 and the protocol should be set to SFTP.  Save the connection.  Select the connection and attempt to login.  WinSCP will ask you to generate a key the first time you login.  If you are successful you will authenticate and see the files on your web server appear.  You can now drag and drop files from your computer to the web server (and vice versa) securely!

Notepad++

WinSCP will help you upload and download your files securely.  But what about editing those files?  There is a free editor for windows that can make writing your scripts much easier.  You can download it at http://notepad-plus.sourceforge.net/uk/about.php.  Notepad++ has a plethora of options that normal Notepad does not support such as syntax highlighting, auto completion, and more.

WinSCP and Notepad++ 

You can use Notepad++ in collaboration with WinSCP.  This way when you edit files in Notepad++ they will save out to your web server securely via the WinSCP application.  I will show you how to set this up.

Launch WinSCP.  On the left you will see a link to “Preferences”.  Click on it.  In the middle of the screen you will see a button labeled “Preferences”.  Click on it.  On the left you will see a link to “Editors”.  Click on it.  Find the button that says “Add”.  Click on it.  Choose the “External Editor” radio button and then browse for the Notepad++ executable file.  Save and exit.

Now whenever you launch WinSCP you can right-click on files on your web server and choose “Edit”.  The file will launch in Notepad++ automatically.  When you save your changes, WinSCP will update the file on your web server securely.  Try it!

Share It!

When we first get acquainted with web hosting we have plenty of questions.  Many years ago I remember being on the phone asking web hosting tech support how do I edit the files for my website.  I certainly didn’t have the slightest idea how to edit the files securely.  So I thought maybe I would cover this topic in more detail.  It can be confusing and some web hosts aren’t quick to shed light on the subject.

Whenever you sign up for a hosting package your web host will likely provide you with a control panel environment to modify files and settings.  I recommend looking for web hosting that supports cpanel instead of their own custom control panel.  Why?  A lot of web hosting providers support cpanel, so if you are not satisfied with your web hosting you can migrate everything over to another web host easily.

Lets explore the security of the control panel first.   Once you have a web hosting account running cpanel you can access the control panel in the web browser with something like this  “http://www.orangewidgets.com:2082/”.  That will bring up the control panel login screen.  Unfortunately this is not the secure version.  Instead lets try “https://www.orangewidgets.com:2083/”.  That is the secure version (notice the https).  Much better.  Most web hosts don’t really explain this too well.  If your not using the secure version someone else can steal your username and password and hijack your account.  Maybe they should tell you that!

Lets move on to actually editing the files on your website.  You can edit your files in the control panel environment.  It can be done securely (as long as you see the https on the edit page in your browser its secure).  Unfortunately this gets old in a hurry.  All of your code is in black and white.  Its hard to read.  Sometimes you will submit a change but the website will freeze.  Its just not an ideal solution.  There is a better way.  Its called FTP (file transfer protocol).

We aren’t out of the woods yet with just FTP.  FTP is not secure by itself!  Once again that means someone can monitor your website and hijack your username and password.  How to escape this nightmare?  We need to take it one step further.  We need Secure FTP (SFTP).  Secure FTP will encrypt your username and password and all files transmitted.  Perfect.  So how do we set this up?  Well, your going to need a web hosting account that allows secure shell access (ssh access).  It is not provided in many basic web hosting packages.  Fortunately Midphase provides ssh access in their unlimited web hosting package.  You may want to consider Host Monster or Host Gator as well.  They use cpanel and they feature ssh access at low cost (but I have not used either of these two web hosts just yet).  In our SFTP Tutorial I’ll explain how to download a free SFTP client and set it up properly with your web hosting account.  Then we will set up a free text editor that will work with the secure ftp client to make your life easy breezy.

Share It!