Secure FTP On GoDaddy Shared Hosting Accounts

For a long time GoDaddy kept frustrating many of its customers with the lack of an option to securely  access files over FTP on shared hosting accounts. FTP is inherently insecure as it transmits the authentication credentials in plain text.  For anyone taking security of their hosting account even half-seriously, a better option is clearly desirable.

The frustrating wait for better security on GoDaddy is now over (well, sort of). GoDaddy is now offering FTP-SSL access to their shared hosting accounts. This option is however not turned on by default and anyone interested in taking advantage of it must explicitly request it.

The move to enable  FTP-SSL also enables SSH access – another nice-to-have. On the downside though the switch can cause potentially crippling downtime of 24hrs+ for anyone who is running a database-driven site such as an ecommerce site or even a WordPress blog (more on this later).

Now, a world of clarification. The world of FTP security is plagued by an alphabet soup of potentially misleading acronyms that deserves an explanation.  FTP-SSL (which is what GoDaddy offers) is also known as FTP Secure or SFTP. It is an extension to the FTP protocol that provides support for TLS and SSL.

FTP-SSL should not be confused with other popular methods of securing FTP such as SSH File Transfer Protocol  (aka SFTP), as well as Secure FTP. The latter is essentially a mechanism of tunneling FTP over SSH.

Confusingly, Secure FTP and FTP Secure are totally different things. GoDaddy only offers the latter.

For people like me the subtle difference between similarly-sounding acronyms is largely irrelevant.  All I really care for is that there be a way to securely transfer files back and forth using a popular client like FileZilla.

Now, let me tell you why I didn’t make the switch to GoDaddy’s FTP-SSL. Reading the fine print towards the end of the how-to revealed the following:

“it may take 24-72 hours for SSH to be enabled for your account.”

After repeatedly talking to customer support it also became clear that databases (like MySQL) are problematic in the transition process. It turned out that all existing database instances need to be deleted prior to starting the internal move to the secured hosting space!

After the move is complete those databases will need to be re-created from a backup, which isn’t that hard. However the entire migration process can take up to 72 hours during which time the MySQL databases will effectively be non-existent.

In essence, the FTP-SSL transition will cause your database-driven functionality to be down anywhere between 24 and 72 hours! For me, this amount of downtime is clearly unacceptable.

So if you have a database-driven site on GoDaddy, you should probably proceed with extreme caution in your switch to enable SSH and FTP-SSL. In fact, with the excessive downtime quoted it is probably not worth it (moving to a hosting provider who offers painless SSH access may be a better move).

For those just starting out with GoDaddy, requesting the FTP-SSL/SSH switch early on would  probably be a good idea. One day you will be glad that you have it turned on, because once your site starts generating reasonable traffic you will likely balk at the 24-72 hour potential downtime. I sure did!

About these ads

8 comments so far

  1. [...] the original post: Secure FTP On GoDaddy Shared Hosting Accounts « 7thursdays Top 5 Green Web Hosting Companies, Click [...]

  2. francis on

    I just found out that ftp is insecure and realized i have to use a more secure way instead. Then I read about the potential 72 hour downtime which is just nuts. So now I’m stuck with the insecure ftp :(

  3. Michael on

    While ftp’ing a number of files to an account, I googled and found this post.

    Thanks for the information, but like Francis, I am not about to break my site in order to get something they should have offered all along.

  4. Larry Dearing on

    if you’re site is important, you can do this without downtime. DONT BE CHEAP. get a small hosting account, create a mirrored site first, THEN change your DNS. your site will be up on new temp site with no downtime

    Then notify support to start your migration process to ftp secure environment. Once that is complete, you can move your site back to new secure environment and cancel your temporary account.

    Here’s some more info

    http://bit.ly/7vEOdZ

  5. Fronk on

    GoDaddy is by far the worst web host I’ve ever seen. I’m so angry at them – they take my money and then refuse to give it back within the first month when my website was giving timeout errors and causing file download popups for PHP files (security hazard).

    They’re money-stealing bastards is what they are.

  6. Richard on

    I’ve been using GoDaddy for years for domain name and site hosting services and haven’t had any problems with them,
    but I do agree that they should make secure FTP available by default.

    I just did the SSH activation and here’s how it really works:
    TUE 4AM: I started the activation process from the GoDaddy hosting control panel for my site. They use an automated callback to issue a verification PIN number; this call came in about 5 seconds, so I entered the PIN they gave me and was done. My site is still fully functional (mySQL databases and everything)! FTP (unsecure) still works too. However I am locked out of the GoDaddy hosting control panel; instead of the control panel, a message appears saying that that an “account change is pending.” GoDaddy says this can go on for 1 to 72 hours.
    FRI 4AM: Submitted a customer service ticket because nothing happened and their 72 hours ran out.
    FRI 2PM: GoDaddy email: “Due to its complex nature, your issue has been relayed to our Advanced Technical Support Team. Our most skilled technicians will be working to resolve your issue quickly and completely. You will be notified promptly upon resolution.”
    SAT 1PM: Called GoDaddy support, was told to keep waiting for a couple of days and that their “super-nerds” (exact quote, no kidding) would look into it soon.
    SUN 3AM: GoDaddy email: “This is to inform you that in order to prepare your account for an upgrade, the database host name used to connect to database has been changed and that I must update my code within 24 hours to avoid loss of database connectivity”. Ok, right now the old database host names still work; so I cautiously changed the MySQL database host names to the new ones and viola; they work too! Further investigation showed that both the old and new database host names point to the same database data, so no data has been lost (nice!). However, there’s still no secure FTP and I’m still locked out of the GoDaddy hosting control panel for the site.
    MON 3AM: GoDaddy email: “HOSTING ACCOUNT UPDATE…” (basically telling me my site has been moved to a new IP address). Now the GoDaddy hosting control panel is available and my site is still working, PLUS I now am able to do file transfers using SFTP/SSH mode. The last thing to do is change all my site/database passwords because I’d previously been uploading using unsecure FTP.

    The net result: ZERO DOWNTIME, NO DATA LOST.

    I don’t know how they magically updated the DNS servers so fast. It’s possible that more remote DNS servers haven’t updated; I can’t tell from here (I’m based in Arizona and so is GoDaddy). But even if so, they will be updated within 48 hours maximum so my site will be accessible from anywhere.

    I suspect that the process is smoother if you do it earlier in the life of the web site. My site was a fully functional estore with ~10MB of content and 2 MySQL databases, and it was a couple of years old.

  7. Mark in Tallinn on

    the alphabet soup is really confusing. i can confirm – ftps explicit, port 21 – works on godaddy… had to google and try different modes and ports first, as gdaddy did not explain which ftps they had.

  8. 1111 deg on

    Latest Update – You can easily use secure FTP with TLS Encryption on Godaddy Hosting accounts. No settings changes are needed. No downtimes either. Already setup by default. Use a FTP Client and try any of these secure schemes while connecting (FTPES, AUTH TLS, Explicit FTPS). Full article is here – http help godaddy com / article / 4982 ? locale=en


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.