WEB HOSTING SUPPORT NETWORK
     
 

Using .ftpaccess files

What is an .ftpaccess file?

.ftpaccess files allow you to alter the default FTP server configuration settings. The name of the file begins with a dot (.) symbol. You can create .ftpaccess files via the File Manager section of the hosting Control Panel.

If you wish to edit an .ftpaccess file with a text editor of your choice, you can download the file via an FTP client. You can find step-by-step instructions on how to set up the most popular FTP clients in the Uploading files category from our online documentation. Some FTP clients do not show configuration/hidden files (starting with a dot (.) symbol) by default, so please refer to the official documentation of your FTP client of choice for instructions on how to show/display hidden files.

The .ftpaccess Limit directive

You can use the Limit directive in .ftpaccess files to limit access to a specific or a group of FTP commands in a particular directory. If you wish to limit access to specific FTP commands in multiple directories/subdirectories, you need to add an .ftpaccess file to each directory/subdirectory as .ftpaccess files do not work recursively.

A list of the command groups and the most widely used FTP commands with a brief overview is available below:

  • ALL includes the READ, WRITE, and DIRS command groups (all FTP commands). This command group has the lowest precedence, so if there is a Limit directive configured for a command or command group, the ALL command group limit will not have any effect.
  • READ includes the following FTP commands related to file reading (directory reading FTP commands are not included in this command group):
    • RETR (RETRieve) allows the FTP client to download files from the server.
    • SITE CHMOD (CHange MODe) allows the FTP client to change file/directory permissions.
    • SIZE allows the FTP client to view file size information.
    • STAT (STATus) allows the FTP client to view the FTP server/connection status.
  • WRITE includes the following FTP commands used for writing, creating, and deleting files/directories:
    • APPE (APPEnd) allows the FTP client to append the content of one file to another.
    • DELE (DELEte) allows the FTP client to delete a file/directory.
    • MKD/XMKD (MaKe Directory) allows the FTP client to create a new directory.
    • RMD/XRMD (ReMove Directory) allows the FTP client to remove a directory.
    • RNTO (ReName TO) allows the FTP client to rename a file/directory. This FTP command is used in combination with the RNFR FTP command.
    • STOR (STORe) allows the FTP client to upload files to the server.
  • DIRS includes the following FTP commands associated with directory listing:
    • CDUP/XCUP (Change Directory UP) allows the FTP client to navigate up one directory level.
    • CWD/XCWD (Change Working Directory) allows the FTP client to change the current working directory.
    • LIST/NLST (LIST/Name LiST) allows the FTP client to list the files in a directory.
    • MDTM (MoDification TiMe) allows the FTP client to view the date when a file was last modified.
    • PWD/XPWD (Print Working Directory) allows the FTP client to display the current working directory.
    • RNFR (ReName FRom) allows the FTP client to rename a file/directory. This FTP command is used in combination with the RNTO FTP command.

More details about the Limit directive are available in the official ProFTPD documentation.

Protecting .ftpaccess files

By default, configuration files (starting with a dot (.) symbol) are visible for all FTP users. This includes .ftpaccess files. We would recommend that you add the following code block at the beginning of your .ftpaccess files to allow only specific FTP users to view and manage your configuration files:

HideFiles (\.ftpaccess|\.htaccess|\.htpasswd)$ user !alloweduser
<Limit ALL>
IgnoreHidden on
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to each directory where you wish the custom FTP configuration to take effect.

For increased security, and to prevent public access (over HTTP) to your .ftpaccess files, we would recommend that you change their permissions to 0600 via the File Manager in your hosting Control Panel.

Examples

You can find examples for the most common uses of .ftpacess files listed below:

  1. Blocking FTP access
    from specific IP addresses/networks
    from everywhere
    from everywhere except for specific IP addresses/networks
  2. Restricting file and directory deletion
  3. Restricting file uploads and directory creation
    for everyone except for specific FTP users
    mixed setup
  4. Allowing only file uploads
  5. Restricting access to specific FTP users
  6. Allowing access only to specific FTP users
  7. Allowing file deletion only from specific IP addresses/networks
  8. Restricting file/directory permission changes to specific FTP users

1. Blocking FTP access

  • from specific IP addresses/networks

    To block FTP access to a directory from specific IP addresses (e.g. 1.2.3.4) and networks (e.g. all IP addresses starting with 5.6.7), add the following code block to an .ftpaccess file in that directory:

    <Limit ALL>
    Order allow,deny
    Deny from 1.2.3.4
    Deny from 5.6.7.
    </Limit>

    Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

  • from everywhere

    You can completely block FTP access to a directory by adding the following code block to an .ftpaccess file in that directory:

    <Limit ALL>
    Order allow,deny
    Deny from all
    </Limit>

    Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

  • from everywhere except for specific IP addresses/networks

    If you wish to block FTP access to a directory for everyone except for specific IP addresses (e.g. 1.2.3.4) and networks (e.g. all IP addresses starting with 5.6.7), add the following code block to an .ftpaccess file in that directory:

    <Limit ALL>
    Order allow,deny
    Allow from 1.2.3.4
    Allow from 5.6.7.
    Deny from all
    </Limit>

    Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

2. Restricting file and directory deletion

You can prevent the deletion of files and directories in a directory for all FTP users except for one (e.g. allowed_user) by adding the following code block to an .ftpaccess file in that directory:

<Limit DELE RMD XRMD>
AllowUser allowed_user
DenyAll
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

3. Restricting file uploads and directory creation

  • for everyone except for specific FTP users

    If you wish to allow all FTP users to view the contents of the current directory, but prevent file uploads and directory creation for all except two FTP users (e.g. allowed_user_1 and allowed_user_2), you should add the following code block to an .ftpaccess file in that directory:

    <Limit WRITE>
    AllowUser allowed_user_1,allowed_user_2
    DenyAll
    </Limit>

    Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

  • mixed setup

    You can assign FTP access to different commands for different FTP users allowing you to configure custom configurations like the following:
    - one user (e.g. allowed_user_1) with access to file reading and directory listing without writing access
    - another user (e.g. allowed_user_2) without access to file reading but with directory listing and file/directory uploading access
    - third user (e.g. allowed_user_3) with full access

    Add the following code block to an .ftpaccess file in the directory where you wish to achieve the setup listed above:

    <Limit READ>
    AllowUser allowed_user_1,allowed_user_3
    DenyAll
    </Limit>

    <Limit WRITE>
    AllowUser alloweduser_2,allowed_user_3
    DenyAll
    </Limit>

    Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

4. Allowing only file uploads

To prevent file reading and directory listing access and allow file uploads to a directory for all FTP users (overwriting of existing files will be possible), add the following code block to an .ftpaccess file in that directory:

<Limit ALL>
DenyAll
</Limit>

<Limit CDUP CWD XCWD XCUP PWD>
AllowAll
</Limit>

<Limit STOR STOU>
AllowAll
</Limit>

Important: The directory containing the .ftpaccess file will not be visible so, to access it, you will need to establish a connection directly to it by either of the following:

  • Entering the path to the directory containing the .ftpaccess file manually in your FTP client.
  • Configuring the directory containing the .ftpaccess file as the default remote directory in your FTP client.
  • Setting the directory containing the .ftpaccess file as the (root) Directory for the FTP users via the FTP Manager section of the hosting Control Panel. You can find more details about this section in our FTP Manager article.

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

5. Restricting access to specific FTP users

You can prevent access to a directory for specific FTP users (e.g. restricted_user_1 and restricted_user_2) by adding the following code block to an .ftpaccess file in that directory:

<Limit ALL>
DenyUser restricted_user_1,restricted_user_2
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

6. Allowing access only to specific FTP users

To grant access to a directory only for specific FTP users (e.g. allowed_user_1 and allowed_user_2), you should add the following code block to an .ftpaccess file in that directory:

<Limit ALL>
AllowUser allowed_user_1,allowed_user_2
DenyAll
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

7. Allowing file deletion only from specific IP addresses/networks

Should you wish to allow the deletion of files in a directory only from specific IP addresses (e.g. 1.2.3.4) and networks (e.g. all IP addresses starting with 5.6.7), add the following code block to an .ftpaccess file in that directory:

<Limit DELE>
Allow from 1.2.3.4
Allow from 5.6.7.
DenyAll
</Limit>

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.

8. Restricting file/directory permission changes to specific FTP users

You can grant access for changing file and directory permissions in a specific folder only to specific FTP users (e.g. allowed_user_1 and allowed_user_2) by adding the following code block in an .ftpaccess file in that directory:

<Limit SITE_CHMOD>
AllowUser allowed_user_1,allowed_user_2
DenyAll
</Limit>

The FTP users (allowed_user_1 and allowed_user_2) will be able to change the permissions of files and folders that they own, while all other FTP users will be unable to change the permissions of any files and folders (even if they own them).

Note: Since .ftpaccess files do not work recursively, you will need to add a separate .ftpaccess file to all directories where you wish the custom FTP configuration to take effect.