In this tutorial, we’ll set up an FTP user account in cPanel that has limited access to specific directories. We’ll also cover how to change an existing FTP account to limit its access.
Since FTP accounts can upload, download, delete and change permissions on most files in the directories they have access to, it is often necessary to limit the directories an FTP account can access.
Why Restrict Users to Specific Directories?
The most common reason to restrict FTP users is to prevent them from making changes to certain parts of a website. Restricting access can also be useful if you want to make it possible for a user to upload media, but you don’t want to give them access to other areas.
But the most critical reason to restrict FTP users is security. An FTP user with full or root access can execute destructive commands. And while you may trust your users, what happens if their account is compromised? Perhaps they make a mistake or edit files by accident.
It’s best to limit users to the locations and permissions that are necessary for them to do what they need to do and prevent them from venturing outside of those boundaries.
Creating a New FTP User Account With Limited Access in cPanel
Log in to cPanel, and in the “FILES” section, click the “FTP Accounts” link or icon.
Enter the FTP username for the account in the “Log In” field.
Enter the FTP password in both the “Password” and “Password (again)” fields.
The system will analyze your password or passphrase and reject it with a password strength error if it is too short or not sufficiently complex.
The “Directory” field is automatically populated with public_html/domain.tld/ftpuser (ftpuser is the username that you entered in the “Log in” field and domain.tld is the cPanel account domain).
Since we are creating a user with access to only a specific directory, replace /ftpuser in the “Directory” path with the name of the directory you wish to allow the user to access.
The subdirectory does not have to exist; cPanel will create it for you when the FTP user is created.
The user will also have access to any directories under the directory you specify here. So if your website structure looks like:
public_html/domain.tld/media/uploads/audio
public_html/domain.tld/media/uploads/video
and you give a user access to /uploads, they will have access to the /audio and /video directories under /uploads.
Setting a quota for the user will prevent them from uploading files once the quota is reached. To avoid that problem, leave the “Quota” set to “Unlimited.”
Click the “Create FTP Account” button.
When the user is created, you will see an “Account Created” success notice.
Limiting Access for an Existing FTP Account
It is not possible to change the path for an FTP account in cPanel once it is set up, so the account has to be deleted and re-created.
On the “FTP Accounts” page in cPanel, scroll down to the “FTP Accounts” section. Click the “Delete” icon or link for the FTP user you wish to recreate.
Deleting an FTP account does not remove the directory as long as you make sure that the “Delete the User’s Home Directory” option is NOT checked when the account is deleted.
Re-create the user with the steps outlined under “Creating a New Ftp Account With Limited Access in cPanel.”
Can you think of any other circumstances where restricted FTP users might be useful? Do you make use of multiple FTP users to manage your website?