What you need to know…
Customers have contacted us with reports of having FTP details stolen and we’ve been able to help them identify that they have been hacked and affected by a virus as a result.
As an enhanced security measure we’re adding an FTP locking feature for all Linux shared hosting accounts only. This enables our customers to lock FTP access to their account when it’s not in use, making it more difficult for hackers to gain access.
From the end of November FTP will be locked on all accounts as standard. You can unlock your FTP for a given time or by white listing specific IP addresses, meaning that you can access your files during this time or at the specified address even when FTP is locked.
We would advise that you prepare any changes to your website and then, when you are ready to upload it, unlock FTP for one hour. If you need access for longer, please select the relevant option however, we would advise you to only unlock FTP for short periods.
Features of FTP Lock
Unlocking FTP via your Online Control Panel is simple. You’ve always been able to limit FTP access via IP address, but now you can choose from either:-
- Limiting FTP access by IP address or
- Limiting the amount of time that your FTP remains open for – regardless of the IP address
If you choose the second option, you can work as standard during the period of time when FTP is open and at the end of the time limited period, FTP access will close down again. You will be required to log back into your Online Control Panel and choose from either option one or two again.
By using the FTP lock with your Namesco hosting will greatly reduce the risk of Hackers gaining access to your website.
Please keep checking back for further information on the FTP Lock.
07/11/2011 at 11:34
I use an FTP programme to manage my website rather than the Control Panel. How does this affect my situation?
Regards,
Jim.
07/11/2011 at 17:32
Yes this does affect you. You will need to log into your Control Panel and set either the times that you want to access it via your FTP programme, or if your ISP gives you a static IP address, you can whitelist this and you will be able to access it at any time using your FTP programme. For more info on static IP addresses please contact your ISP.
07/11/2011 at 17:09
This website is organised and updated by someone who has no access to a control panel. How is he supposed to update in these circumstances? Using an IP address is fine if it is a fixed one, but as many are not (including my own) then how does one go about it? Set an FTP time of 4 years?
This has not been thought out sufficiently, or has been explained very badly.
08/11/2011 at 09:45
Hi Howard,
Thanks for your feedback. We’ve developed these additional security measures in response to a specific breed of viruses that target FTP passwords stored in a local client.
The Namesco account holder will need to login to their Online Control Panel and reset the FTP password, choosing an appropriate length of time to enable it for. There will be an ‘Always Allow’ option you can enable if you like so that you don’t need to go back in and re-enable it later, although we wouldn’t recommend this.
07/11/2011 at 22:49
First my web site is well out of date. I only use FTP95 that i am happy with. How can I protect me FTP when I understand there is no commands in the software. Plus I have access to anothere 2 host. But I only use FTP95. Again how cam I protect it please. Paul
08/11/2011 at 09:48
Hi Paul,
Thanks for your feedback. This will affect you insomuch as you will need to change your password and re-enable FTP the first time you try to connect. If you have a static IP address then you can allow that permanently so you don’t have to change the settings again.
08/11/2011 at 21:47
Excellent initiative.
I recently had a script added to a page on one of my sites (not hosted by Namesco I hasten to add). I’m very careful and my FTP password was fairly high strength too.
This tool would have prevented this, and as you say, if people don’t want to use it, they can switch it off.
09/11/2011 at 10:01
Absolutely Grant, FTP Lock is there to give extra protection but the choice is still with you,the customer, on how to use it. Thanks for your comment!
09/11/2011 at 11:36
Hi, can someone help please. I’m not technical so forgive if this sounds like a stupid question, but how would I know if my website had been hacked and hidden code inserted?? Thanks/regards Sue
09/11/2011 at 14:39
Hi Sue,
That’s a very good question. Thankfully, these days, Google and the various browser manufacturers are so good at detecting compromised websites quickly that you will usually find out either because Google create a warning about your site in their search results or because customers will try to visit your site and see a page telling them the site may be compromised.
I’d recommend signing up for a free Google Webmasters tool account at http://www.google.com/webmasters/tools/
Through there, you can run malware scans on your website, refine how people find your site in Google and also see statistics about visits and traffic to the site itself.
I hope this helps!
29/11/2011 at 10:07
What’s to stop the hackers from gaining access to the control panel?
And (for those ‘lucky’ enough to have a static IP address) the hacker could just spoof this IP address to gain ilegal access!
18/11/2012 at 09:37
Exactly!!
I don’t think this action is any helpfull at all. It actually only adds annoyance.
I disagree that a hosting company should force this kind of actions. It’s the customers responsibility to maintain their security.
Now I have to log on the control panel everytime (quite often for some sites) I want to use ftp. So if I had a virus the hacker would have full control over my websie instead of only ftp access.
19/11/2012 at 12:28
Hi Lerry,
Thanks for taking the time to pass on your feedback.
As a responsible provider we always strive to ensure that our customers are as protected as possible, which was one of the main reasons we originally introduced the FTP Lock feature. It’s very commendable for you to take responsibility for your own security like that and we are confident that the FTP Security tools we make available will allow you to do just that.
I assume from your last sentence that you’re on a dynamic IP address, so don’t have a static IP address that you can permanently allow. That being the case, you can use the ‘Other IPs’ section to open up access from other IP addresses for certain periods of time. I accept that it can be a little bit inconvenient sometimes to have to login to the Online Control Panel in order to do that but it really does go a long way towards keeping your account and websites as secure as possible, which has always been our guiding principle.
I hope this addresses your conerns but please do let us know if you have any more queries regarding this.
20/11/2012 at 12:45
The inconvenience of this is out of all proportion to the risks.
I have a dynamic IP address, set at BT’s whim, and an active web site with frequent changes. Logging on the Control Panel every time I need to update a page sounds like a nightmare!
There are so many holes in this plan from spoofing to hacking Control Panel access to maximising user inconvenience I cannot see its advantages. If my website gets hacked utterly, or wiped out, I simply re-upload everything from scratch – it’s not my only copy!
23/11/2012 at 10:32
Hi John,
Thank you for passing on your concerns, we apologise for the inconvenience this may be causing you but we hope you can understand our viewpoint as your provider.
We have taken this security measure as a serious step towards improving online safety for all our customers. Unfortunately, many would not be in the position to recreate their websites from scratch in the event of a security breach and many customers retain sensitive customer information that they need to protect. Changing settings or passwords can be inconvenient but it is the simplest way to maximise your own security and as a provider we feel it is our duty to take any measures we feel necessary to keep our customers safe.
With a dynamic IP address like yours, you can use the ‘Other IPs’ option to open up access for up to 30 days which means you do not need to specify a particular IP address every time. The length of time is capped at 30 days to decrease your online risk and to make sure you, as the account holder, have complete control over FTP and you are able to ensure it is never left open indefinitely. By logging onto your Online Control Panel once a month to do this, you will be keeping your account and websites safe and as secure as possible. We do recommend you lock FTP when it’s not in use and having the option to disable it will allow you to do this.
I hope this helps with some of your concerns. We are here to help so please let us know if you are struggling to meet the deadline you can raise a support ticket and we will help you make alternative arrangements. For a faster response, please set Department to “Customer Support” and type “Email Password Reset” in the Brief Description field.
Many thanks again John for getting in touch,
Jayne
22/11/2012 at 17:41
Have to agree with the other complaints on here. Very few people have static IPs and I’m no different. I work remotely for my client who has 10+ websites on Namesco and this is just going to be a pain logging into the control panel to allow FTP access each time.
Security shouldn’t always mean inconvenience. There must be a better solution to this.
23/11/2012 at 10:59
Hi Dan,
Many thanks for taking the time to give us your feedback. I can imagine how difficult it would be to continually have to change your IP address but with the ‘Other IPs’ option in your Online Control Panel, that will not be necessary. If you don’t have a static IP address, you can select the ‘Other IPs’ option and open access for up to 30 days meaning you will not need to specify a particular IP address each time. You can then enable ‘Other IPs’ once a month and it will ensure your account and websites are as secure as possible.The length of time is capped at 30 days to give you control over FTP access and ensure it is never left open indefinitely. With the FTP Lock facility, you will also be able to lock FTP when it’s not in use.
I hope this helps with your situation, if you need any assistance, please raise a support ticket in your Online Control Panel. For a faster response, please set Department to “Customer Support” and type “Email Password Reset” in the Brief Description field.
Thanks again for your feedback Dan,
Jayne
28/11/2012 at 22:55
If you’re going to open FTP access for 30 days at a time, there’s very little security to be gained, I’d have thought.
Couldn’t you lock FTP transmissions to MAC addresses instead? (And yes I know you can spoof these, but ditto IP addresses, surely).
Failing that, couldn’t someone at Namesco write a script that we could incorporate into our FTP scripts that would do all the Control Panel work of IP address-locking, and enable the resetting ‘on the fly’? Like a ‘one-time pad’ encryption for the particular IP address we’re on at the time?
20/12/2012 at 18:07
Hi John, so sorry for the late reply:
Restricting it to MAC addresses is not possible, as MAC addresses never leave your own network.
With suggestion of making this scriptable… it’s possible to do, but it’s unlikely to improve security because we couldn’t verify the CP logins anymore than the FTP ones, so we’d need the same restrictions there too.
30 days seemed a fair limit compared to our previous open-ended limits. This limit is something we keep under review and we may change it in future based on how effective it proves to be.
Wishing you a Merry Christmas and Happy New Year 🙂
06/01/2013 at 17:48
I have just found this blog after posting a furious comment on the MD Feedback as a result of wasting most of my afternoon. My website has nothing worth hacking and I can sync and reload it with less effort than it takes to find my way around the control panel. I agree with the poster who points out that the control panel is much less secure anyway. I have no problem in updating the ftp password within reasonable intervals.
22/01/2013 at 18:45
Complete pointless and aggravating. Just offering SFTP or FTP over SSL would have been a far better solution.
Anyone who needs to use FTP regularly, with a dynamic IP is going to have to leave FTP open all the time, thus providing no “benefit” from this irritating so-called feature.
16/04/2013 at 09:59
I agree with previous posters – this just gets in the way of doing one’s job.
I can see that some people might like it. Fine – just add an opt-out option for those of us for whom it’s a hindrance.
I use FTP to let some colleagues exchange CAD drawings with external parties as an alternative to emailing 20Mb attachments to each other. Now I have to set myself a reminder to refresh the timer every 30 days. Result: more hassle for me yet the site remains permanently open just like it was before.
Madness.