FTP vs SFTP: which one to use for your Indian website

If your hosting provider asks you to connect via FTP, stop. Plain FTP transmits your username, password, and all file contents in cleartext — anyone on the same network can read them. SFTP is the secure alternative and is available on every VPS and most shared hosting accounts.

What FTP is (and why it's a problem)

FTP (File Transfer Protocol) was designed in 1971, before network security was a consideration. It works by opening two connections: one for commands (port 21) and one for data. Both send everything in plaintext.

What an attacker can see in a captured FTP session:

220 ProFTPD 1.3.6 Server
USER yourname
331 Password required
PASS yourpassword123        ← visible in plaintext
230 User logged in
STOR index.php              ← file name visible
[file contents transmitted in cleartext]

FTP also has firewall compatibility issues in "active mode" because the server initiates a connection back to the client, which most firewalls block. "Passive mode" works better but adds configuration complexity.

FTPS (FTP over SSL) is a variant that adds TLS encryption — it's better than plain FTP but less common and more complicated to configure than SFTP. Use SFTP instead.

What SFTP is

SFTP (SSH File Transfer Protocol) runs over the SSH (Secure Shell) protocol on port 22. It is not "FTP with SSL" — it's a completely different protocol that shares only the name and the concept of file transfer.

SFTP advantages:

• All traffic is encrypted (files, credentials, commands)
• Uses the same SSH port (22) — no firewall issues
• Supports key-based authentication (no passwords)
• Available on every Linux VPS by default
• Most modern shared hosting accounts support it
• Can resume interrupted transfers

How to check if your hosting supports SFTP

cPanel shared hosting: Log into cPanel → Files → FTP Accounts. Look for SFTP toggle or check your hosting plan details. Most Indian hosts that offer SSH access also enable SFTP. If you can SSH in, SFTP works on the same credentials.

VPS: SFTP is available by default on any VPS with OpenSSH installed (which is all of them). Your SSH credentials work for SFTP too.

What you need to connect:

• Hostname: your domain or VPS IP address
• Port: 22
• Username: your SSH/cPanel username
• Authentication: password or SSH key

Connecting with FileZilla (Windows/Mac/Linux)

FileZilla is the most popular free FTP/SFTP client. Download from filezilla-project.org.

Method 1: Quick connect bar

At the top of FileZilla:

Host: sftp://yourdomain.in   (or sftp://your-vps-ip)
Username: yourname
Password: yourpassword
Port: 22

Click Quickconnect. FileZilla will warn you that the host key is unknown on first connection — review the fingerprint and click OK to trust it.

Method 2: Site Manager (recommended for regular use)

Go to File → Site Manager → New Site.

Protocol: SFTP – SSH File Transfer Protocol
Host: yourdomain.in  (or your VPS IP)
Port: 22
Logon Type: Normal (or Key file if using SSH keys)
User: yourname
Password: yourpassword

Click Connect. Save this entry so you don't retype credentials each time.

Using SSH key authentication in FileZilla:

If you've set up SSH key authentication on your VPS:

1. Go to Edit → Settings → Connection → SFTP
2. Click Add key file → browse to your private key file (id_ed25519 or id_rsa)
3. FileZilla converts it to its own format if needed
4. In Site Manager, set Logon Type to Key file and browse to the key

Connecting with WinSCP (Windows)

WinSCP has a more polished Windows-native interface and integrates well with PuTTY keys.

In WinSCP's login dialog:

File protocol: SFTP
Host name: yourdomain.in
Port number: 22
User name: yourname
Password: yourpassword

Click Login. On first connection, accept the server's host key fingerprint.

WinSCP with PuTTY keys: WinSCP uses PuTTY's .ppk format for keys (not OpenSSH format). If you have an OpenSSH key (id_ed25519), convert it:

1. Open PuTTYgen
2. Load your id_ed25519 file
3. Save private key in .ppk format
4. In WinSCP, go to Advanced → SSH → Authentication → Private key file → select your .ppk

Connecting from terminal (command line)

On Mac and Linux, the sftp command is built in. On Windows, use PowerShell or Windows Subsystem for Linux.

Basic SFTP session:

sftp yourname@yourdomain.in

On connection, you get an sftp> prompt. Basic commands:

sftp> ls              # List files on remote server
sftp> lcd /local/path # Change local directory
sftp> cd /remote/path # Change remote directory
sftp> get filename    # Download a file
sftp> put filename    # Upload a file
sftp> mput *.php      # Upload multiple files
sftp> mget *.log      # Download multiple files
sftp> rm filename     # Delete a file
sftp> exit            # Disconnect

Upload a directory:

# Upload entire directory and contents
sftp> put -r localdir/

One-liner uploads (without interactive session):

# Upload a single file
sftp yourname@yourdomain.in:/path/to/destination <<< "put /local/file.php"

# Or use scp for simple file copies (same SSH credentials):
scp localfile.php yourname@yourdomain.in:/var/www/html/
scp -r localdir/ yourname@yourdomain.in:/var/www/html/

SFTP on VPS: permissions and paths

Common paths:

• cPanel shared hosting: /home/username/public_html/ (your website root)
• VPS with NGINX: /var/www/yourdomain.in/ or /home/yourapp/public/
• VPS with Apache: /var/www/html/

File permission issues on VPS: If you upload a file via SFTP but your web server can't read it, the file owner or permissions may be wrong.

# After uploading, fix ownership (replace www-data with your web server user)
sudo chown www-data:www-data /var/www/html/newfile.php

# Fix permissions for web files
sudo chmod 644 /var/www/html/newfile.php

# Directories need execute permission
sudo chmod 755 /var/www/html/newdir/

Automating SFTP transfers

rsync over SSH (most common for deployment):

# Sync local directory to server (only uploads changed files)
rsync -avz --delete ./public/ yourname@yourdomain.in:/var/www/html/

# Exclude node_modules, .git
rsync -avz --delete --exclude=node_modules --exclude=.git ./app/ yourname@yourdomain.in:/var/www/app/

rsync is far more efficient than SFTP for deployment because it only transfers files that have changed rather than the entire directory.

SSH key-based automation (for scripts and CI/CD): Generate a dedicated key pair for automation:

ssh-keygen -t ed25519 -C "deploy-key" -f ~/.ssh/deploy_ed25519 -N ""

Add the public key to the server's ~/.ssh/authorized_keys. Use the private key in your CI/CD pipeline (GitHub Actions, GitLab CI) as a secret. Never put private keys in your repository.

Common connection errors

"Connection refused": Port 22 is blocked by your server's firewall. Check sudo ufw status on VPS. For shared hosting, contact your host — SFTP may not be enabled.

"Host key verification failed": The server's fingerprint has changed since you last connected. This can mean the server was rebuilt (normal) or a man-in-the-middle attack (uncommon). Verify with your host before accepting the new key. Remove the old entry: ssh-keygen -R yourdomain.in.

"Permission denied (publickey)": Your SSH key isn't set up correctly. Fall back to password authentication to verify connectivity, then troubleshoot the key setup.

"No such file or directory": You're in the wrong directory on the server. Use ls and pwd in the sftp prompt to orient yourself.

"Broken pipe" or disconnection during large uploads: Network instability. Use rsync instead of sftp for large transfers — rsync resumes where it left off.

Replacing FTP entirely

If you're still using a plain FTP client out of habit, here's the migration:

1. Install FileZilla or WinSCP
2. Change connection type to SFTP (port 22 instead of 21)
3. Use the same credentials — they work over SFTP
4. Your paths and workflow are identical

There is no reason to use plain FTP in 2025. SFTP provides the same file browsing and transfer experience with full encryption and no additional setup for most shared hosting and all VPS accounts.