Insecure FileZilla FTP Program

I manage several web sites, among them WordPress-based. And other sites I manage/own are PHP-based. So I often need to transfer files from my laptop to the hosting site. To do that, I use an FTP client program called FileZilla.

At least, I used to.

And the reason for ‘used to’ could be helpful to you.

One of the sites I manage has an intermittent problem with some injected malware. Usually, it is a small bit of code that uses an ‘iframe’ (sort of inserted content on a web page) to hide content that does search click-jacking. That’s when the code displays a search results page, then ‘clicks’ links on the page to earn search-click revenue. The actual search page is not displayed, but the ‘clicking’ happens.

So that injected code gets displayed on every WordPress page on the site. Which means that somehow the WordPress code on the site host is being modified by malware.

It’s not clear how the code gets modified, but one way is by a compromised FTP account. The hacker somehow gets the FTP login and password for a site, then looks at that site for PHP files that can be modified with an insertion of the malware code.

And the only way to figure out that the site has been compromised is to take a look at the page code, which can be quite complex. Or you can look at file dates on the host, but that can take quite a while.

Now, I keep my computer systems current with patches. I do Window patches as soon as they are released. I have Secunia’s PSI program which automatically patches my non-MS programs. I’ve got a good anti-virus program.  And I use strong passwords everywhere.

But even these good security practices can be bypassed with a ‘zero-day’ attack. And that’s what I think happened. Some malware got into my system somehow. And this particular bit of malware tries to compromise my FTP program.

And it turns out that FileZilla, the FTP client on my computer, stores FTP user names and passwords in a clear-text file in an easily accessed location.

What. The. ???!!!

Why would they do that?

Yes, the program is open-source, so someone can easily figure out where the FTP user/passwords are stored. But there is no reason not to encrypt the file that contains the passwords.

No reason at all.

It is a major vulnerability. One that the FileZilla developers continue to ignore.

And FileZilla is very popular. Millions of downloads.

Each and every one is vulnerable to malware attack that will get your FTP user credentials.

What. The. ???!!!!

And that’s why FileZilla has been removed from my computer. And banned from any computer I own or manage.

But I still need an FTP client. Yeah, I could do it all manually, but a FTP GUI is just convenient. So I need an alternative.

And that alternative is WinSCP (available here ).

It’s pretty easy to use. Has a nice GUI. Allows for multiple FTP site settings. Will save the FTP user credentials. Is open-source, and free (donations accepted).

And has an option to have a ‘master password’, that, if enabled, will encrypt the file that stores your FTP user credentials.

So far, it is working fine, and appears to be a good and secure FTP client.

Which is why WinSCP is on my computer.

And FileZilla isn’t.

I recommend the same conclusion for your computers.


(Added 25 May 2012) Note that if you do uninstall FileZilla, the password file is not removed (even after a restart). You will need to remove it manually.