I am aware of the feature request to store configuration in a different location that the local root of your project. It is on the list for the next feature release. I have also been working on the integration of various operating system password vaults to use for storing passwords in.
As I explained above - with the default configuration, there is no security hole. The sftp-config.json is ignored unless the user explicitly opens the file, or right-clicks on it and uploads it.
It certainly is possible that if you use the FTP protocol and use another FTP program and upload your credentials file to the server it will be visible. I would recommend against doing so. If you use the SFTP package and don't blow away the default ignore settings, this won't be a problem. If instead you insist on using another FTP program and uploading a whole folder at a time, you have a few choices:
- Use the SFTP protocol and an SSH key so that your password is not stored in sftp-config.json. The FTP protocol is a bad idea anyway since it sends your credentials in the clear.
- Set your other FTP program to ignore sftp-config.json.
- Use a separate checkout of your code with other editors/FTP programs.
- Don't set the root of your project as your document root. Many projects contain other passwords in them - having your project root be one folder above your document root is a good idea.
- Stop using the SFTP package until the next version comes out