{"id":3113,"date":"2025-12-07T16:45:23","date_gmt":"2025-12-07T13:45:23","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/from-ftp-to-sftp-secure-file-transfer-on-shared-hosting-and-vps\/"},"modified":"2025-12-07T16:45:23","modified_gmt":"2025-12-07T13:45:23","slug":"from-ftp-to-sftp-secure-file-transfer-on-shared-hosting-and-vps","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/en\/from-ftp-to-sftp-secure-file-transfer-on-shared-hosting-and-vps\/","title":{"rendered":"From FTP to SFTP: Secure File Transfer on Shared Hosting and VPS"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>Most website owners still use plain FTP because \u201cthat\u2019s what the designer set up years ago\u201d. It works, it feels familiar, and most hosting control panels still show an FTP section. But in 2025, transferring your site files with unencrypted FTP is like logging in to online banking over HTTP: the data moves, but anyone on the path can read or even alter it. Passwords, configuration files, and customer data are all exposed in clear text. If you care about security, compliance, or simply not getting hacked, switching to SFTP or FTPS is no longer optional \u2013 it\u2019s a must.<\/p>\n<p>In this guide, we\u2019ll walk through how secure file transfer really works on both shared hosting and <a href=\"https:\/\/www.dchost.com\/vps\">VPS<\/a>: what SFTP and FTPS are, how they differ, how SSH keys fit into the picture, and what you can realistically do on a basic cPanel account versus a full VPS. The goal is simple: by the end, you\u2019ll know which protocol to use, how to configure your client, and which hosting setup makes sense for your projects \u2013 all with practical, real\u2011world examples from the dchost.com team.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Why_Traditional_FTP_Is_No_Longer_Acceptable\"><span class=\"toc_number toc_depth_1\">1<\/span> Why Traditional FTP Is No Longer Acceptable<\/a><\/li><li><a href=\"#SFTP_vs_FTPS_vs_SCP_Understanding_Your_Options\"><span class=\"toc_number toc_depth_1\">2<\/span> SFTP vs FTPS vs SCP: Understanding Your Options<\/a><ul><li><a href=\"#What_Is_SFTP\"><span class=\"toc_number toc_depth_2\">2.1<\/span> What Is SFTP?<\/a><\/li><li><a href=\"#What_Is_FTPS\"><span class=\"toc_number toc_depth_2\">2.2<\/span> What Is FTPS?<\/a><\/li><li><a href=\"#Where_Do_SCP_and_rsync_Fit\"><span class=\"toc_number toc_depth_2\">2.3<\/span> Where Do SCP and rsync Fit?<\/a><\/li><\/ul><\/li><li><a href=\"#Secure_File_Transfer_on_Shared_Hosting\"><span class=\"toc_number toc_depth_1\">3<\/span> Secure File Transfer on Shared Hosting<\/a><ul><li><a href=\"#What_You_Can_Usually_Do_on_Shared_Hosting\"><span class=\"toc_number toc_depth_2\">3.1<\/span> What You Can Usually Do on Shared Hosting<\/a><\/li><li><a href=\"#Switching_an_Existing_Site_from_FTP_to_SFTP_or_FTPS\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Switching an Existing Site from FTP to SFTP or FTPS<\/a><\/li><li><a href=\"#Extra_Hardening_Steps_on_Shared_Hosting\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Extra Hardening Steps on Shared Hosting<\/a><\/li><\/ul><\/li><li><a href=\"#Secure_File_Transfer_on_a_VPS_SSH_Keys_and_Real_Control\"><span class=\"toc_number toc_depth_1\">4<\/span> Secure File Transfer on a VPS: SSH Keys and Real Control<\/a><ul><li><a href=\"#How_SSH_Keys_Work_In_Simple_Terms\"><span class=\"toc_number toc_depth_2\">4.1<\/span> How SSH Keys Work (In Simple Terms)<\/a><\/li><li><a href=\"#Generating_SSH_Keys_on_Your_Computer\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Generating SSH Keys on Your Computer<\/a><ul><li><a href=\"#On_Linux_and_macOS\"><span class=\"toc_number toc_depth_3\">4.2.1<\/span> On Linux and macOS<\/a><\/li><li><a href=\"#On_Windows_OpenSSH_or_PuTTY\"><span class=\"toc_number toc_depth_3\">4.2.2<\/span> On Windows (OpenSSH or PuTTY)<\/a><\/li><\/ul><\/li><li><a href=\"#Configuring_SFTP_SSH_Keys_on_a_VPS\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Configuring SFTP + SSH Keys on a VPS<\/a><\/li><\/ul><\/li><li><a href=\"#Practical_SFTPFTPS_Client_Configurations\"><span class=\"toc_number toc_depth_1\">5<\/span> Practical SFTP\/FTPS Client Configurations<\/a><ul><li><a href=\"#Configuring_FileZilla_for_SFTP_VPS_or_Shared_Hosting_with_SSH\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Configuring FileZilla for SFTP (VPS or Shared Hosting with SSH)<\/a><\/li><li><a href=\"#Configuring_FileZilla_for_FTPS_Shared_Hosting\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Configuring FileZilla for FTPS (Shared Hosting)<\/a><\/li><li><a href=\"#Automating_Transfers_with_SFTP_on_a_VPS\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Automating Transfers with SFTP on a VPS<\/a><\/li><\/ul><\/li><li><a href=\"#Security_Best_Practices_for_File_Transfers\"><span class=\"toc_number toc_depth_1\">6<\/span> Security Best Practices for File Transfers<\/a><ul><li><a href=\"#1_Prefer_SFTP_Over_FTPS_When_You_Can\"><span class=\"toc_number toc_depth_2\">6.1<\/span> 1. Prefer SFTP Over FTPS When You Can<\/a><\/li><li><a href=\"#2_Keep_Your_TLS_and_SSH_Stacks_Updated\"><span class=\"toc_number toc_depth_2\">6.2<\/span> 2. Keep Your TLS and SSH Stacks Updated<\/a><\/li><li><a href=\"#3_Segment_Access_Per_Person_and_Per_Project\"><span class=\"toc_number toc_depth_2\">6.3<\/span> 3. Segment Access Per Person and Per Project<\/a><\/li><li><a href=\"#4_Protect_the_Entry_Points_Panels_and_SSH\"><span class=\"toc_number toc_depth_2\">6.4<\/span> 4. Protect the Entry Points: Panels and SSH<\/a><\/li><li><a href=\"#5_Always_Assume_Youll_Need_to_Restore\"><span class=\"toc_number toc_depth_2\">6.5<\/span> 5. Always Assume You\u2019ll Need to Restore<\/a><\/li><\/ul><\/li><li><a href=\"#Shared_Hosting_or_VPS_Which_Makes_Sense_for_Secure_File_Transfer\"><span class=\"toc_number toc_depth_1\">7<\/span> Shared Hosting or VPS: Which Makes Sense for Secure File Transfer?<\/a><ul><li><a href=\"#When_Shared_Hosting_Is_Enough\"><span class=\"toc_number toc_depth_2\">7.1<\/span> When Shared Hosting Is Enough<\/a><\/li><li><a href=\"#When_a_VPS_Is_the_Better_Fit\"><span class=\"toc_number toc_depth_2\">7.2<\/span> When a VPS Is the Better Fit<\/a><\/li><\/ul><\/li><li><a href=\"#Bringing_It_All_Together_and_What_We_Do_at_dchostcom\"><span class=\"toc_number toc_depth_1\">8<\/span> Bringing It All Together (and What We Do at dchost.com)<\/a><\/li><\/ul><\/div>\n<h2><span id=\"Why_Traditional_FTP_Is_No_Longer_Acceptable\">Why Traditional FTP Is No Longer Acceptable<\/span><\/h2>\n<p>FTP (File Transfer Protocol) is one of the oldest protocols on the internet. It was great in an era where networks were trusted and encryption was rare. Today it has three major problems:<\/p>\n<ul>\n<li><strong>No encryption:<\/strong> Usernames, passwords, commands and file contents travel in plain text. Anyone on the same Wi\u2011Fi, in the same office network, or on a compromised router can sniff them.<\/li>\n<li><strong>Weak authentication:<\/strong> Typically just a username + password that\u2019s reused in other places. Once stolen, attackers can log in at will.<\/li>\n<li><strong>Messy firewall behaviour:<\/strong> FTP uses separate control and data channels, active\/passive modes and wide port ranges, which makes it harder to protect with firewalls and IDS\/IPS rules.<\/li>\n<\/ul>\n<p>On <strong>shared hosting<\/strong>, FTP is even riskier because multiple customers share the same server. A single compromised customer PC using an infected FTP client can leak all their credentials to an attacker who then scripts mass logins and malware uploads across dozens of sites on the same platform.<\/p>\n<p>On a <strong>VPS<\/strong>, plain FTP introduces an extra service to harden and maintain, and it opens ports you do not really need. Since you already have SSH, it\u2019s almost always better to rely on SFTP instead of running a separate FTP server at all.<\/p>\n<p>In short: plain FTP should be considered deprecated. If your workflow still depends on it, plan a migration now rather than after an incident.<\/p>\n<h2><span id=\"SFTP_vs_FTPS_vs_SCP_Understanding_Your_Options\">SFTP vs FTPS vs SCP: Understanding Your Options<\/span><\/h2>\n<p>When people say \u201csecure FTP\u201d, they usually mean one of two very different protocols:<\/p>\n<ul>\n<li><strong>SFTP<\/strong> \u2013 SSH File Transfer Protocol (often mistakenly called \u201cSecure FTP\u201d).<\/li>\n<li><strong>FTPS<\/strong> \u2013 FTP over SSL\/TLS, which is the original FTP protocol wrapped in encryption.<\/li>\n<\/ul>\n<p>There are also other tools like SCP and rsync that build on SSH. Let\u2019s break them down so you can choose the right one.<\/p>\n<h3><span id=\"What_Is_SFTP\">What Is SFTP?<\/span><\/h3>\n<p><strong>SFTP (SSH File Transfer Protocol)<\/strong> is a file transfer protocol that runs over SSH. That means:<\/p>\n<ul>\n<li><strong>Single port:<\/strong> It uses the same port as SSH, typically 22, which is easy to protect with a firewall.<\/li>\n<li><strong>Strong encryption:<\/strong> It relies on SSH\u2019s modern ciphers and key exchange algorithms.<\/li>\n<li><strong>Key\u2011based authentication:<\/strong> You can log in with SSH keys instead of passwords (we\u2019ll cover this in detail shortly).<\/li>\n<li><strong>File operations built\u2011in:<\/strong> It supports operations like chmod, chown, symlink, resume uploads, directory listings with metadata, etc.<\/li>\n<\/ul>\n<p>SFTP is not FTP with encryption; it\u2019s a different protocol entirely. You need an SSH\/SFTP server on the hosting side and an SFTP\u2011capable client (FileZilla, WinSCP, Cyberduck, etc.) on your computer.<\/p>\n<p>On a VPS, SFTP is usually available as soon as SSH is active. On shared hosting, SFTP may be offered as \u201cSSH access\u201d, \u201cSFTP access\u201d or \u201cSecure FTP\u201d; check your provider\u2019s documentation. At dchost.com, our focus is on SSH\u2011based access methods like SFTP because they align with modern security expectations.<\/p>\n<h3><span id=\"What_Is_FTPS\">What Is FTPS?<\/span><\/h3>\n<p><strong>FTPS (FTP over SSL\/TLS)<\/strong> is the traditional FTP protocol running inside an encrypted TLS tunnel, similar to HTTPS for the web. There are two variants:<\/p>\n<ul>\n<li><strong>Explicit FTPS:<\/strong> Client connects to the normal FTP port (21) and then upgrades to TLS with an AUTH TLS command. This is the most commonly supported mode on hosting platforms.<\/li>\n<li><strong>Implicit FTPS:<\/strong> Client connects to a dedicated FTPS port (often 990) and encryption is enforced from the start. Less common on modern platforms.<\/li>\n<\/ul>\n<p>FTPS gives you <strong>encryption of credentials and data<\/strong>, which is already a huge step up from plain FTP. However, it still inherits FTP\u2019s complexity with multiple ports and passive\/active mode, which can complicate firewalls and NAT.<\/p>\n<p>Because FTPS relies on SSL\/TLS, you also need to keep an eye on protocol and cipher deprecations, very similar to HTTPS. If you want to go deeper into this topic, you can <a href=\"https:\/\/www.dchost.com\/blog\/en\/ssl-tls-protokol-guncellemeleri-modern-https-icin-net-yol-haritasi\/\">learn how to stay on top of SSL\/TLS protocol updates on your servers<\/a>.<\/p>\n<h3><span id=\"Where_Do_SCP_and_rsync_Fit\">Where Do SCP and rsync Fit?<\/span><\/h3>\n<p><strong>SCP (Secure Copy)<\/strong> is a simple, SSH\u2011based command\u2011line tool to copy files between hosts. It\u2019s great for quick one\u2011off transfers but lacks advanced features like resume or directory synchronization.<\/p>\n<p><strong>rsync<\/strong> is another SSH\u2011friendly tool that syncs directories efficiently by sending only changed blocks. Many teams use rsync over SSH (or SFTP) for automated deployments and backups.<\/p>\n<p>For most website owners and small teams, the practical choices are:<\/p>\n<ul>\n<li><strong>SFTP<\/strong> for daily interactive work using GUI clients.<\/li>\n<li><strong>FTPS<\/strong> when SFTP is not available on shared hosting, but TLS is.<\/li>\n<li><strong>SCP\/rsync over SSH<\/strong> for VPS users and DevOps workflows.<\/li>\n<\/ul>\n<h2><span id=\"Secure_File_Transfer_on_Shared_Hosting\">Secure File Transfer on Shared Hosting<\/span><\/h2>\n<p>Shared hosting is where most people encounter FTP for the first time. You typically have a control panel like cPanel or DirectAdmin, and you\u2019re given an FTP username, password, and hostname.<\/p>\n<p>Security\u2011wise, you\u2019re constrained by what your hosting provider enables. You usually cannot change the SSH configuration or system\u2011level services, but you can still make much safer choices inside those limits.<\/p>\n<h3><span id=\"What_You_Can_Usually_Do_on_Shared_Hosting\">What You Can Usually Do on Shared Hosting<\/span><\/h3>\n<p>On a modern shared hosting platform, you will typically have one or more of these options:<\/p>\n<ul>\n<li><strong>Plain FTP<\/strong> \u2013 almost always available, but should be avoided.<\/li>\n<li><strong>FTPS (explicit TLS on port 21)<\/strong> \u2013 increasingly supported and often enabled by default.<\/li>\n<li><strong>SFTP via SSH<\/strong> \u2013 available if the provider offers SSH access; sometimes limited to higher\u2011tier plans or upon request.<\/li>\n<\/ul>\n<p>Here\u2019s how to prioritize them:<\/p>\n<ol>\n<li><strong>Use SFTP whenever possible.<\/strong> It gives you strong encryption and the ability to move to SSH keys later.<\/li>\n<li><strong>If SFTP is not available, use FTPS (explicit TLS).<\/strong> Make sure your FTP client is configured to \u201crequire explicit FTP over TLS\u201d.<\/li>\n<li><strong>Disable plain FTP logins if the panel allows it.<\/strong> Some control panels let you enforce TLS for all FTP users.<\/li>\n<\/ol>\n<p>If you\u2019re running WordPress or another CMS, file transfer security is only one layer of your overall protection. For a broader view, you can <a href=\"https:\/\/www.dchost.com\/blog\/en\/paylasimli-hostingde-wordpress-guvenligi-eklentiler-waf-2fa-ve-yedekler\/\">review our WordPress security checklist for shared hosting<\/a>, which covers plugins, WAF, 2FA and backups from a hosting perspective.<\/p>\n<h3><span id=\"Switching_an_Existing_Site_from_FTP_to_SFTP_or_FTPS\">Switching an Existing Site from FTP to SFTP or FTPS<\/span><\/h3>\n<p>The biggest barrier for most people is not technology; it\u2019s habit and misconfigured clients. The good news: switching from FTP to SFTP\/FTPS is mostly about changing settings in your client, not your code.<\/p>\n<p>Here\u2019s a typical migration flow using FileZilla as an example (the same logic applies to WinSCP, Cyberduck and others):<\/p>\n<ol>\n<li><strong>Check what your hosting account supports.<\/strong> In your control panel or welcome email, look for notes about \u201cSFTP\u201d, \u201cSSH access\u201d or \u201cFTP over TLS\u201d. If unsure, ask support.<\/li>\n<li><strong>Create or confirm your FTP\/SFTP user.<\/strong> On shared hosting, you usually have a primary account plus optional extra FTP users for specific directories.<\/li>\n<li><strong>Update your client protocol:<\/strong>\n<ul>\n<li>If SFTP is available, set protocol to \u201cSFTP \u2013 SSH File Transfer Protocol\u201d, host to your domain or server hostname, and port to 22 (unless your provider uses a custom port).<\/li>\n<li>If only FTPS is available, set protocol to \u201cFTP \u2013 File Transfer Protocol\u201d, encryption to \u201cRequire explicit FTP over TLS\u201d, and port to 21.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Test listing and transferring a small file.<\/strong> Confirm you can upload and download without errors.<\/li>\n<li><strong>Remove or disable plain FTP entries.<\/strong> Delete saved connections that use unencrypted FTP so you don\u2019t accidentally fall back to them later.<\/li>\n<\/ol>\n<p>Once you\u2019ve confirmed SFTP or FTPS works, you can keep using your normal workflow \u2013 just with a secure tunnel underneath.<\/p>\n<h3><span id=\"Extra_Hardening_Steps_on_Shared_Hosting\">Extra Hardening Steps on Shared Hosting<\/span><\/h3>\n<p>Even though you cannot tune the server itself, you can still make good choices:<\/p>\n<ul>\n<li><strong>Create separate FTP\/SFTP users per project.<\/strong> Do not give one user access to all sites, especially if you share credentials with freelancers.<\/li>\n<li><strong>Limit each user to the minimum directory needed.<\/strong> Control panels usually let you restrict users to a specific folder.<\/li>\n<li><strong>Use long, unique passwords<\/strong> and a password manager. Never reuse hosting passwords elsewhere.<\/li>\n<li><strong>Use 2FA on your control panel.<\/strong> Many compromises start with stolen panel logins, not just FTP.<\/li>\n<li><strong>Keep regular backups.<\/strong> Even with secure transfer, malware can still arrive via compromised plugins or themes. A realistic backup plan saved many teams we\u2019ve worked with. You can <a href=\"https:\/\/www.dchost.com\/blog\/en\/yedekleme-stratejisi-nasil-planlanir-blog-e-ticaret-ve-saas-siteleri-icin-rpo-rto-rehberi\/\">learn how to design a backup strategy with clear RPO\/RTO targets<\/a> for your sites.<\/li>\n<\/ul>\n<h2><span id=\"Secure_File_Transfer_on_a_VPS_SSH_Keys_and_Real_Control\">Secure File Transfer on a VPS: SSH Keys and Real Control<\/span><\/h2>\n<p>On a VPS, you are no longer limited to whatever your hosting provider decides. You control the OS, services, users and firewall. That also means more responsibility \u2013 but also more power to do things properly.<\/p>\n<p>For secure file transfer on a VPS, the modern baseline is:<\/p>\n<ul>\n<li><strong>SFTP over SSH only<\/strong> (no plain FTP daemon running at all).<\/li>\n<li><strong>Key\u2011based SSH authentication<\/strong> instead of passwords.<\/li>\n<li><strong>Firewall rules<\/strong> allowing only necessary ports (22 for SSH\/SFTP, 80\/443 for web, etc.).<\/li>\n<\/ul>\n<p>If you\u2019d like a wider view of all the things you should harden on a new server, you can read our guide on <a href=\"https:\/\/www.dchost.com\/blog\/en\/vps-sunucu-guvenligi-nasil-saglanir-kapiyi-acik-birakmadan-yasamanin-sirri\/\">how to secure a VPS server without leaving any doors open<\/a>. Here we\u2019ll focus on the SSH and file\u2011transfer side.<\/p>\n<h3><span id=\"How_SSH_Keys_Work_In_Simple_Terms\">How SSH Keys Work (In Simple Terms)<\/span><\/h3>\n<p>SSH keys replace your password with a <strong>cryptographic key pair<\/strong>:<\/p>\n<ul>\n<li>You generate a <strong>private key<\/strong> and a matching <strong>public key<\/strong> on your own computer.<\/li>\n<li>You keep the private key secret on your machine (optionally protected with a passphrase).<\/li>\n<li>You upload the public key to the server, into <code>~\/.ssh\/authorized_keys<\/code> for a specific user.<\/li>\n<\/ul>\n<p>When you connect via SFTP\/SSH:<\/p>\n<ul>\n<li>The server checks if it has your public key.<\/li>\n<li>It sends a challenge that can only be answered correctly by someone who holds the matching private key.<\/li>\n<li>If the answer is valid, you\u2019re logged in \u2013 without ever sending your password across the network.<\/li>\n<\/ul>\n<p>This has two major advantages:<\/p>\n<ul>\n<li><strong>No password to steal over the network.<\/strong> Even if someone sniffs the traffic, there is no reusable secret.<\/li>\n<li><strong>Protection against brute\u2011force attacks.<\/strong> SSH keys are practically impossible to guess with today\u2019s computing power, if you use decent key lengths.<\/li>\n<\/ul>\n<p>For an even deeper dive into SSH hardening (FIDO2 keys, SSH CA, key rotation), we\u2019ve written a separate playbook: <a href=\"https:\/\/www.dchost.com\/blog\/en\/vpste-ssh-guvenligi-nasil-saglamlasir-fido2-anahtarlari-ssh-ca-ve-rotasyonun-sicacik-yolculugu\/\">VPS SSH hardening without the drama<\/a>.<\/p>\n<h3><span id=\"Generating_SSH_Keys_on_Your_Computer\">Generating SSH Keys on Your Computer<\/span><\/h3>\n<p>Here\u2019s the high\u2011level process on common platforms. You do not need to memorize every flag; the important part is understanding the flow.<\/p>\n<h4><span id=\"On_Linux_and_macOS\">On Linux and macOS<\/span><\/h4>\n<ol>\n<li>Open a terminal.<\/li>\n<li>Run something like:<br \/><code>ssh-keygen -t ed25519 -C \"your-email@example.com\"<\/code><\/li>\n<li>Accept the default file location (usually <code>~\/.ssh\/id_ed25519<\/code>) and set a strong passphrase.<\/li>\n<li>This creates two files:\n<ul>\n<li><code>id_ed25519<\/code> (private key \u2013 keep it secret)<\/li>\n<li><code>id_ed25519.pub<\/code> (public key \u2013 safe to upload to servers)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h4><span id=\"On_Windows_OpenSSH_or_PuTTY\">On Windows (OpenSSH or PuTTY)<\/span><\/h4>\n<ul>\n<li><strong>Windows 10\/11 with OpenSSH:<\/strong> You can use the same <code>ssh-keygen<\/code> command in PowerShell as on Linux\/macOS.<\/li>\n<li><strong>Using PuTTY:<\/strong> Use PuTTYgen to generate a new key pair, save the private key (.ppk) and copy the public key text from the PuTTYgen window.<\/li>\n<\/ul>\n<p>Once you have your keys, you\u2019re ready to install the public key on your VPS.<\/p>\n<h3><span id=\"Configuring_SFTP_SSH_Keys_on_a_VPS\">Configuring SFTP + SSH Keys on a VPS<\/span><\/h3>\n<p>The exact commands differ between distributions (Ubuntu, Debian, AlmaLinux, Rocky Linux, etc.), but the structure is similar:<\/p>\n<ol>\n<li><strong>Create a user for SFTP\/SSH access.<\/strong><br \/>On Linux, something like:<br \/><code>sudo adduser deploy<\/code><\/li>\n<li><strong>Create the <code>.ssh<\/code> directory and set permissions.<\/strong><br \/><code>sudo mkdir \/home\/deploy\/.ssh<br \/>sudo chmod 700 \/home\/deploy\/.ssh<br \/>sudo chown deploy:deploy \/home\/deploy\/.ssh<\/code><\/li>\n<li><strong>Install the user\u2019s public key.<\/strong><br \/>Copy the content of your <code>id_ed25519.pub<\/code> (or equivalent) and paste it into:<br \/><code>\/home\/deploy\/.ssh\/authorized_keys<\/code><br \/>Then:<br \/><code>sudo chmod 600 \/home\/deploy\/.ssh\/authorized_keys<br \/>sudo chown deploy:deploy \/home\/deploy\/.ssh\/authorized_keys<\/code><\/li>\n<li><strong>Test SSH\/SFTP login with the key.<\/strong><br \/>From your computer:<br \/><code>ssh deploy@your-vps-ip<\/code> or configure SFTP in your client using the key file.<\/li>\n<li><strong>Optionally restrict the user to SFTP only.<\/strong><br \/>If this user should not have a full shell, you can configure <code>sshd_config<\/code> with a <code>Match User<\/code> block and <code>ForceCommand internal-sftp<\/code>, plus a <code>ChrootDirectory<\/code>. This keeps the user confined to a specific directory tree.<\/li>\n<li><strong>Once keys work reliably, disable password logins.<\/strong><br \/>In <code>\/etc\/ssh\/sshd_config<\/code>, set:<br \/><code>PasswordAuthentication no<\/code><br \/>Then reload SSH. This step dramatically reduces the risk of brute\u2011force password attacks.<\/li>\n<\/ol>\n<p>Because these changes affect critical access, always make them via a second terminal session and test before closing your original shell.<\/p>\n<h2><span id=\"Practical_SFTPFTPS_Client_Configurations\">Practical SFTP\/FTPS Client Configurations<\/span><\/h2>\n<p>Let\u2019s map this to a few concrete tools.<\/p>\n<h3><span id=\"Configuring_FileZilla_for_SFTP_VPS_or_Shared_Hosting_with_SSH\">Configuring FileZilla for SFTP (VPS or Shared Hosting with SSH)<\/span><\/h3>\n<ol>\n<li>Open FileZilla\u2019s <strong>Site Manager<\/strong>.<\/li>\n<li>Click <strong>New Site<\/strong> and give it a name (e.g. \u201cMySite SFTP\u201d).<\/li>\n<li>Set <strong>Protocol<\/strong> to \u201cSFTP \u2013 SSH File Transfer Protocol\u201d.<\/li>\n<li>Set <strong>Host<\/strong> to your domain or server IP, <strong>Port<\/strong> to 22.<\/li>\n<li>Set <strong>Logon Type<\/strong> to:\n<ul>\n<li>\u201cNormal\u201d if you still use a password (not ideal for VPS but sometimes necessary on shared hosting).<\/li>\n<li>\u201cKey file\u201d if you use SSH keys; then browse to your private key file.<\/li>\n<\/ul>\n<\/li>\n<li>Enter your SSH\/SFTP username.<\/li>\n<li>Click <strong>Connect<\/strong> and accept the server\u2019s host key if prompted (verify it if your provider gives you the fingerprint).<\/li>\n<\/ol>\n<h3><span id=\"Configuring_FileZilla_for_FTPS_Shared_Hosting\">Configuring FileZilla for FTPS (Shared Hosting)<\/span><\/h3>\n<ol>\n<li>In <strong>Site Manager<\/strong>, click <strong>New Site<\/strong>.<\/li>\n<li>Set <strong>Protocol<\/strong> to \u201cFTP \u2013 File Transfer Protocol\u201d.<\/li>\n<li>Set <strong>Encryption<\/strong> to \u201cRequire explicit FTP over TLS\u201d.<\/li>\n<li>Set <strong>Host<\/strong> to your domain or server IP, <strong>Port<\/strong> to 21.<\/li>\n<li>Enter your FTP username and password.<\/li>\n<li>On first connection, check the certificate details and accept if they match your server.<\/li>\n<\/ol>\n<p>Most modern FTP\/SFTP clients support both SFTP and FTPS in similar ways. The key is to make sure the protocol\/encryption settings match what your hosting account offers.<\/p>\n<h3><span id=\"Automating_Transfers_with_SFTP_on_a_VPS\">Automating Transfers with SFTP on a VPS<\/span><\/h3>\n<p>Once you have SSH keys in place, automation becomes much easier. A few real\u2011world patterns we see often:<\/p>\n<ul>\n<li><strong>CI\/CD deployments:<\/strong> Your GitLab\/GitHub pipelines use <code>scp<\/code>, <code>sftp<\/code> or <code>rsync -e ssh<\/code> to push new builds to the VPS without storing passwords in CI secrets.<\/li>\n<li><strong>Scheduled backups:<\/strong> A cron job on your VPS or backup server pulls\/syncs data over SSH to offsite storage. If you\u2019re designing a larger backup system, our article on <a href=\"https:\/\/www.dchost.com\/blog\/en\/3-2-1-yedekleme-stratejisi-neden-ise-yariyor-cpanel-plesk-ve-vpste-otomatik-yedekleri-nasil-kurarsin\/\">the 3\u20112\u20111 backup strategy with automated jobs on cPanel, Plesk and VPS<\/a> can give you a complete picture.<\/li>\n<li><strong>Multi\u2011server sync:<\/strong> SFTP\/rsync over SSH keeps web, worker and staging servers in sync in a controlled way.<\/li>\n<\/ul>\n<p>Because everything rides on SSH, you only need to secure and monitor one entry point instead of juggling FTP and SSH separately.<\/p>\n<h2><span id=\"Security_Best_Practices_for_File_Transfers\">Security Best Practices for File Transfers<\/span><\/h2>\n<p>Whether you\u2019re on shared hosting or a VPS, these principles will keep your file transfer layer in good shape.<\/p>\n<h3><span id=\"1_Prefer_SFTP_Over_FTPS_When_You_Can\">1. Prefer SFTP Over FTPS When You Can<\/span><\/h3>\n<p>Both SFTP and FTPS encrypt credentials and data, which is the big win over plain FTP. But SFTP has a few advantages:<\/p>\n<ul>\n<li>Single port (22) \u2013 easier firewall and intrusion detection.<\/li>\n<li>Same stack as SSH \u2013 one set of keys, one set of logs.<\/li>\n<li>Cleaner protocol \u2013 no passive port ranges and oddities.<\/li>\n<\/ul>\n<p>That said, if your shared hosting only offers FTPS, use it \u2013 it\u2019s still a huge improvement over unencrypted FTP.<\/p>\n<h3><span id=\"2_Keep_Your_TLS_and_SSH_Stacks_Updated\">2. Keep Your TLS and SSH Stacks Updated<\/span><\/h3>\n<p>On VPS and <a href=\"https:\/\/www.dchost.com\/dedicated-server\">dedicated server<\/a>s, you are responsible for keeping OpenSSH and OpenSSL\/libressl up to date, and for deprecating weak ciphers and protocols. Deprecated TLS versions (like TLS 1.0\/1.1) and weak key exchanges should be disabled.<\/p>\n<p>We\u2019ve covered these changes and timelines in more depth in our article on <a href=\"https:\/\/www.dchost.com\/blog\/en\/ssl-tls-guvenlik-guncellemeleri-ne-zaman-nasil-ve-neyi-degistirmelisiniz\/\">SSL\/TLS security updates and what you must keep up to date on your servers<\/a>. The same principles apply to FTPS as they do to HTTPS.<\/p>\n<h3><span id=\"3_Segment_Access_Per_Person_and_Per_Project\">3. Segment Access Per Person and Per Project<\/span><\/h3>\n<p>Never give one all\u2011powerful account to everyone. Instead:<\/p>\n<ul>\n<li>For <strong>shared hosting<\/strong>, create separate FTP\/SFTP users for each site or client, limited to the required directory.<\/li>\n<li>For <strong>VPS<\/strong>, create dedicated Unix users or deploy accounts, each with their own SSH keys and limited permissions.<\/li>\n<\/ul>\n<p>This way, if one freelancer\u2019s laptop is stolen or one machine gets malware, the blast radius is smaller.<\/p>\n<h3><span id=\"4_Protect_the_Entry_Points_Panels_and_SSH\">4. Protect the Entry Points: Panels and SSH<\/span><\/h3>\n<p>Many compromises start with stolen control panel or SSH passwords rather than protocol flaws. Reduce that risk by:<\/p>\n<ul>\n<li><strong>Enabling 2FA<\/strong> on your hosting panel, domain registrar and any admin dashboards.<\/li>\n<li><strong>Using SSH keys<\/strong> and disabling password authentication on VPS once keys work reliably.<\/li>\n<li><strong>Rate\u2011limiting and firewalling SSH<\/strong> (e.g. allow from your office IPs, use Fail2ban or similar tools).<\/li>\n<\/ul>\n<p>If you\u2019d like a more complete, calm checklist for panel\u2011side protections, our guide on <a href=\"https:\/\/www.dchost.com\/blog\/en\/cpanel-guvenlik-sertlestirme-kontrol-listesi\/\">hardening cPanel against brute force and malware<\/a> is a good complement to secure file transfer.<\/p>\n<h3><span id=\"5_Always_Assume_Youll_Need_to_Restore\">5. Always Assume You\u2019ll Need to Restore<\/span><\/h3>\n<p>Even with perfect SFTP\/FTPS setups, risks remain: compromised plugins, supply\u2011chain malware, human error. Treat backups as part of your file\u2011transfer story, not an afterthought:<\/p>\n<ul>\n<li>Keep <strong>multiple generations<\/strong> of backups (daily, weekly, monthly).<\/li>\n<li>Store at least one copy <strong>off\u2011server<\/strong>.<\/li>\n<li>Test restores on a staging environment so you know your process works before an emergency.<\/li>\n<\/ul>\n<p>We\u2019ve seen teams lose days not because they lacked backups, but because they had never practised restoring them. A simple documented runbook beats a \u201cwe\u2019ll figure it out\u201d approach every time.<\/p>\n<h2><span id=\"Shared_Hosting_or_VPS_Which_Makes_Sense_for_Secure_File_Transfer\">Shared Hosting or VPS: Which Makes Sense for Secure File Transfer?<\/span><\/h2>\n<p>From a pure file\u2011transfer perspective, both shared hosting and VPS can be made reasonably secure if you use SFTP or FTPS correctly. The difference is <strong>how much control you need<\/strong> and what else you plan to run.<\/p>\n<h3><span id=\"When_Shared_Hosting_Is_Enough\">When Shared Hosting Is Enough<\/span><\/h3>\n<p>Shared hosting is usually the right fit when:<\/p>\n<ul>\n<li>You run a small business site, blog or brochureware site.<\/li>\n<li>You\u2019re okay with the provider managing SSH\/FTP\/FTPS configuration.<\/li>\n<li>You mainly need one or two users (you and maybe a developer) to upload files.<\/li>\n<li>You prefer to manage everything via a control panel and use SFTP\/FTPS occasionally.<\/li>\n<\/ul>\n<p>As long as your provider offers SFTP or FTPS, lets you enforce TLS and gives you basic per\u2011user directory isolation, you can reach a decent security level with good habits.<\/p>\n<h3><span id=\"When_a_VPS_Is_the_Better_Fit\">When a VPS Is the Better Fit<\/span><\/h3>\n<p>A VPS becomes the better option when:<\/p>\n<ul>\n<li>You manage multiple projects or clients and need fine\u2011grained access control.<\/li>\n<li>You want to enforce SSH keys, disable password logins, and tune SSH\/FTPS policies yourself.<\/li>\n<li>You use CI\/CD, staging and automated deployments that benefit from SSH\u2011based workflows.<\/li>\n<li>You run custom software stacks beyond what shared hosting allows.<\/li>\n<\/ul>\n<p>On a VPS from a provider like dchost.com, you can choose your Linux distribution, tune OpenSSH, configure SFTP\u2011only users, and integrate with your wider monitoring and backup stack. If you\u2019re deciding between shared hosting, managed WordPress or VPS for a broader set of needs, our comparison of <a href=\"https:\/\/www.dchost.com\/blog\/en\/web-hosting-turleri-karsilastirmasi-hangi-yol-ne-zaman-dogru-hikayeyle-anlatiyorum\/\">web hosting types with real\u2011world examples<\/a> can help you pick the right starting point.<\/p>\n<h2><span id=\"Bringing_It_All_Together_and_What_We_Do_at_dchostcom\">Bringing It All Together (and What We Do at dchost.com)<\/span><\/h2>\n<p>Moving from plain FTP to SFTP or FTPS is one of those upgrades that quietly pays off for years. You don\u2019t get more visitors overnight, and your design does not change, but you eliminate an entire class of password\u2011stealing and data\u2011sniffing attacks. On shared hosting, the switch is usually as simple as updating your client settings and enforcing TLS. On a VPS, you can go further with SSH keys, SFTP\u2011only users, and strict firewall rules that match your security policies.<\/p>\n<p>At dchost.com, we design our shared hosting, VPS, dedicated and colocation services with this layered view in mind: encrypted protocols by default, clear separation between users and projects, and practical guidance so you are not left piecing together security from random forum posts. Whether you\u2019re hosting a single WordPress site or a portfolio of client projects, you can lean on SFTP\/FTPS and SSH keys as the backbone of safe file transfers.<\/p>\n<p>If you\u2019re currently on plain FTP, pick one site this week and move it to SFTP or FTPS; once you see how little breaks, you can roll out the change everywhere. And if you\u2019re ready to graduate to a VPS where you control every aspect of SSH, SFTP and automation, our team at dchost.com is here to help you choose the right plan and configure it with a calm, security\u2011first approach.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Most website owners still use plain FTP because \u201cthat\u2019s what the designer set up years ago\u201d. It works, it feels familiar, and most hosting control panels still show an FTP section. But in 2025, transferring your site files with unencrypted FTP is like logging in to online banking over HTTP: the data moves, but anyone [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3114,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-3113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/3113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=3113"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/3113\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media\/3114"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=3113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=3113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=3113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}