For modern hosting workflows, SFTP should be the default. Legacy FTP is often disabled or blocked because it transmits credentials insecurely unless wrapped with additional controls.
Create a Dedicated File-Access User
Give each developer or deployment process its own account. Shared credentials make auditing impossible and slow down incident response.
- One account per person or automation tool.
- Strong password or SSH-key authentication.
- Immediate revocation when access is no longer needed.
Restrict Directory Scope
Use home-directory restrictions so users only see required project paths. This follows least-privilege principles and reduces accidental edits.
Harden Transfer Workflow
Disable plaintext protocols where possible. Enforce SFTP, verify host fingerprints in client tools, and keep transfer logs enabled.
- Prefer port 22 SFTP with key-based auth.
- Avoid root-level file operations for routine uploads.
- Use versioned deployment paths to simplify rollback.
Operational Checklist
After account creation, run a controlled upload test and confirm file ownership, permissions, and web server readability.
Secure file access is a process decision: separate identities, restricted scope, encrypted transport, and predictable rollback.
Access Governance
SFTP account creation should be tied to onboarding and offboarding process. A secure setup includes explicit ownership, expiration policy for temporary access, and periodic account review.
- Use short-lived credentials for contractors and campaign-specific tasks.
- Review inactive accounts monthly and remove unused access.
- Keep deployment automation credentials separate from human logins.
Post-Deployment Integrity Checks
After file transfer, verify checksums for critical files when possible and confirm application behavior in staging or low-traffic windows. This reduces hidden corruption risk and accidental overwrite incidents.
2026 update: create a separate SFTP account for each developer or integration, lock each account to a single target directory, and disable inactive accounts routinely. Segmentation improves traceability and reduces attack surface.
