He may not be able to use scp, depending on if he is controlling the host he is uploading to but of course point is generally valid. Where possible scp is certainly a much safer plan.
Assuming you have to use ftp at least consider using cURL, since this will hide the password from a ps command run by another user on the same system. IIRC wput will not do this, so a well timed 'ps aux' by someone else on the same system will allow them to snoop the password.
: Read this for more information on cURL hiding passwords from other users on a system