This issue is actually very, very serious.
When you create an STx project and you want FTP capabilities, you must create a sftp-config.json in a local folder that is the equivalent of the document root on the server. Each, any and every time you make a change to this sftp-config.json, it gets UPLOADED TO THE SERVER.
There is no way around this security hole given the current structure of the SFTP Plug-in.
The solution needs to be that the sftp-config.json gets stored above the document root.
Ideally, we would be able to store this file in the same place that the server credential’s copy of the sftp-config.json get stored so we do not need to have 2 copies of it on our local machine.
Currently, on a Win7 machine, the sftp server file also exists at C:\Users{username}\AppData\Roaming\Sublime Text 3\Packages\User\sftp_servers
The server configuration file needs to exist once and in a local folder that is not a compromise to site security.
There is no reason the sftp-config.json file needs to reside on the server. I saw thread posts above on preventing browser access via .htaccess file and apache directives. Essentially, they miss the point that having this open text file floating around on the server with FTP credentials is serious business. The root problem needs to be addressed – not server-side patchwork to make up for the plug-in’s shortcoming.