Just to be clear - the plugin NEVER uploads the the config file - unless you explicitly ask for the file to be uploaded. So you have to open the file and execute "Upload file" or right click on the file and click "Upload". It should be pretty obvious to most users to not do that…
If you care about security, which you should, you should be using SFTP and SSH keys. FTP sends your password in the clear. SFTP without SSH keys requires that you either type in your password for every connection attempt, or you have it stored somewhere on disk. In the next release I am planning on offering an option or storing your configuration files in a separate location, and I have the intention of exploring integration with popular password vaults.
If you notice, the plugin was originally designed to just be SFTP, hence the name SFTP. I was not planning on supporting FTP due to the security issues related to it. The market spoke and demanded FTP support, so I added it. Just to reiterate, I highly recommend anyone using the plugin use SFTP with an SSH key.
Also, the author of that blog has contemptible security practices. Supposedly he crawled and emailed developers for hundreds of sites. However, he never even attempted to contact me to raise his concern or ask for a response. His behavior does not sound like much of a security "professional" to me.