Secure FTP On GoDaddy Shared Hosting Accounts
For a long time GoDaddy kept frustrating many of its customers with the lack of an option to securely access files over FTP on shared hosting accounts. FTP is inherently insecure as it transmits the authentication credentials in plain text. For anyone taking security of their hosting account even half-seriously, a better option is clearly desirable.
The frustrating wait for better security on GoDaddy is now over (well, sort of). GoDaddy is now offering FTP-SSL access to their shared hosting accounts. This option is however not turned on by default and anyone interested in taking advantage of it must explicitly request it.
The move to enable FTP-SSL also enables SSH access – another nice-to-have. On the downside though the switch can cause potentially crippling downtime of 24hrs+ for anyone who is running a database-driven site such as an ecommerce site or even a WordPress blog (more on this later).
Now, a world of clarification. The world of FTP security is plagued by an alphabet soup of potentially misleading acronyms that deserves an explanation. FTP-SSL (which is what GoDaddy offers) is also known as FTP Secure or SFTP. It is an extension to the FTP protocol that provides support for TLS and SSL.
FTP-SSL should not be confused with other popular methods of securing FTP such as SSH File Transfer Protocol (aka SFTP), as well as Secure FTP. The latter is essentially a mechanism of tunneling FTP over SSH.
Confusingly, Secure FTP and FTP Secure are totally different things. GoDaddy only offers the latter.
For people like me the subtle difference between similarly-sounding acronyms is largely irrelevant. All I really care for is that there be a way to securely transfer files back and forth using a popular client like FileZilla.
Now, let me tell you why I didn’t make the switch to GoDaddy’s FTP-SSL. Reading the fine print towards the end of the how-to revealed the following:
“it may take 24-72 hours for SSH to be enabled for your account.”
After repeatedly talking to customer support it also became clear that databases (like MySQL) are problematic in the transition process. It turned out that all existing database instances need to be deleted prior to starting the internal move to the secured hosting space!
After the move is complete those databases will need to be re-created from a backup, which isn’t that hard. However the entire migration process can take up to 72 hours during which time the MySQL databases will effectively be non-existent.
In essence, the FTP-SSL transition will cause your database-driven functionality to be down anywhere between 24 and 72 hours! For me, this amount of downtime is clearly unacceptable.
So if you have a database-driven site on GoDaddy, you should probably proceed with extreme caution in your switch to enable SSH and FTP-SSL. In fact, with the excessive downtime quoted it is probably not worth it (moving to a hosting provider who offers painless SSH access may be a better move).
For those just starting out with GoDaddy, requesting the FTP-SSL/SSH switch early on would probably be a good idea. One day you will be glad that you have it turned on, because once your site starts generating reasonable traffic you will likely balk at the 24-72 hour potential downtime. I sure did!