Over-Reliance On FTP

FTP is a fascinating technology, if only because its history is so rife with ambiguity. The modern FTP protocol (RFC 959) was actually invented way back in 1985, a full ten years before its more-famous cousin HTTP (1.0) was launched in 1996. Over the past few decades, however, HTTP began evolving much faster than FTP and eventually “took over” many functions that the early inventors of FTP imagined their protocol would be used for. In other words, HTTP is significantly more useful.

It may sound funny, then, to claim that FTP is being “over-relied upon” – after all, unless you are a web designer accustomed to uploading or downloading large directories full of PHP, JS, or other types of web files from hosting servers, you probably don’t even know what FTP technology is. Still, the truth is that FTP is regularly used inappropriately in the world of web development (despite its flaws), usually for no other reason than “its an easy way” to quickly view a large list of files.

(Take for example a January 2015 report released by North Plains Asset Management that found over 70% of businesses still use email as a primary “asset sharing” tool, with 56% of businesses using FTP to share their digital assets.)

It is no secret amongst computer engineers that HTTP is better than FTP for a wide variety of reasons; HTTP is not only faster and more stable, but it can transfer multiple files from the same server more efficiently because of something called pipelining. Moreover, HTTP also attaches headers to each transfer meaning that applications are more aware of the type of file being migrated. (There are several other advantages to HTTP including gzip compression, better firewall compatibility, etc.)

“What then, are we supposed to be using, if not FTP?” you may be thinking. And therein lies the problem; FTP is so commonly used by designers, teams, and companies in recent years (for a wide range of reasons) that the term “FTP” has taken on the meaning of a “tool” or service… rather than its true nature of being a (mediocre) communications protocol.

“People often ask themselves the right questions. Where they fail is in answering the questions they ask themselves, and even there they do not fail by much. A single avenue of reasoning followed to its logical conclusion would bring them straight home to the truth. But they stop just short of it, over and over again. When they have only to reach out and grasp the idea that would explain everything, they decide that the search is hopeless. The search is never hopeless. There is no haystack so large that the needle in it cannot be found. But it takes time, it takes humility and a serious reason for searching.”
– William Maxwell, Time Will Darken It

It’s not that you “shouldn’t” ever be using FTP; rather, its that the FTP protocol is slowly dying and becoming less and less relevant. Therefore, its important to see FTP not as “the program you open up to store things on” or “the place where I edit my WordPress files” but rather as the protocol that it is (and isn’t). With the widespread adaption of HTML5 around 2010-2014, the “trio” of HTML, CSS, and Javascript ushered in a radically new era of internet functionality. Take for example Google Drive, which allows users to literally drag and drop massive folders right into their browser window to be uploaded onto Google’s remote servers for storage and sharing (via HTTP, of course). In fact, WordPress itself has had a similar feature since 2011.

In any regard, HTTP might not ever fully replace the existence of FTP; even still, that does not excuse the fact that FTP is being quite often abused and mis-used. Below are some solid alternatives to the web’s over-reliance on FTP:

1. Storage. You should never use your web server as a storage service or “office collaboration” tool. Not only are your files insecure (and not redundant) on your web server, but it creates other security and performance problems for your website itself. Instead, get with the times and consider a service such as Google Drive (my favorite) or Dropbox.

2. Backups. Regularly backing up your website is always a great idea. However, storing large backup “zip” files or otherwise on your server once again creates security and performance risks for your website (i.e. those backups can be easily stolen by clever users or robots). Therefore logging into FTP to check/download your backups is also poor form. Instead, consider a remote backup service such as CodeGuard (which is offered on all LittleBizzy hosting plans).

3. Configuration. Using an FTP application to install WordPress, update ownership/permissions, or perform other “server configuration” oriented tasks is neither efficient nor reliable. Instead, to avoid any errors because of FTP’s “ASCII vs. binary” transfer modes or wrong user/group/file permissions (etc), all such tasks should be completed using SSH instead. (Obviously, most WordPress users aren’t aware of SSH which is precisely why managed WordPress hosting is a good idea!)

4. Migration. There’s only one truly reliable way to migrate a massive amount of server files and that is with TAR-balls. As FTP can’t understand TAR compression, once again this task should be accomplished via SSH. Not only is server-to-server migration much faster than manually uploading via FTP, but TAR-balls also preserve file permissions and otherwise, meaning its an exact copy of your old server onto your new server (likewise, mysqldump should be used for SQL databases).

5. Editing. Probably the most common reason that users wish to have (S)FTP access is to be able to edit their WordPress (template) files such as PHP, CSS, and JS files (or to manually upload photos/videos to their website). Admittedly, this was a weak spot of my own for many years, but that doesn’t change the fact that its usually not a good idea. Hacking WordPress templates/plugins is firstly a bad idea for security and compatibility reasons i.e. when you update your software you will lose all those changes anyway. The only code within a WordPress theme or plugin that should require significant editing are CSS files, which is easily accomplished via the WordPress control panel via Appearance >> Editor. And it should go without saying that manually uploading media files to your WordPress backend is never a good idea because then your WordPress database is not properly updated with the critical meta data surrounding those uploads (size, date, etc) resulting in poorer security/efficiency. Always use the Media Library functions to upload photos, videos, audio files, or other documents.

From a web host’s perspective, such as LittleBizzy, its always a bit nerve racking to have so many customers logging into FTP because it comes with an inherently higher chance of problems, errors, risks, and so forth. Do yourself (and web hosts everywhere) a favor by brushing up on some of the knowledge above. It is the future! And, if you must use FTP, make sure you always connect via encrypted SFTP in order to safeguard all passwords and data.

Tags: Backups, Collaboration, FTP, HTTP, Migration, security, server configuration, SFTP, Sharing, SSH