Port 21 — FTP
FTP (File Transfer Protocol) is one of the oldest protocols on the internet — it dates back to 1971, before TCP/IP even existed. It runs on port 21 and does one thing: transfer files between computers. For decades, it was the way to upload website files to a server. And while FTP still works and is still widely used (especially in shared web hosting), it has a fundamental security problem: everything is sent in plaintext, including your username and password.
Today, the secure alternative is SFTP (SSH File Transfer Protocol), which runs on port 22 and encrypts everything. Most modern hosting providers support both, and you should always choose SFTP when available. But FTP isn't going away anytime soon — too much infrastructure depends on it.
FTP vs. SFTP vs. FTPS
These three protocols are often confused. They all transfer files, but they're fundamentally different under the hood:
| FTP (Port 21) | FTPS (Port 990) | SFTP (Port 22) | |
|---|---|---|---|
| Encryption | None — plaintext | TLS/SSL encryption | SSH encryption |
| Password security | Sent in cleartext | Encrypted | Encrypted (or key-based) |
| Firewall friendly | Problematic (two connections) | Problematic | Single port, easy |
| Based on | FTP protocol (1971) | FTP + TLS | SSH protocol |
| Support | Universal | Common | Modern servers |
SFTP is the recommended choice whenever available. It uses a single port (22), works cleanly through firewalls, and provides strong encryption. FTPS (FTP over TLS) is a decent middle ground when a server doesn't support SFTP but you need encryption.
FTP Client Setup (FileZilla)
FileZilla is the most popular FTP client. It supports FTP, FTPS, and SFTP — all from the same interface:
# Quick connect bar (at the top of FileZilla):
Host: ftp.yourdomain.com (or your server IP)
Username: your-ftp-username
Password: your-ftp-password
Port: 21 (FTP) or 22 (SFTP)
# For SFTP, use the Site Manager instead:
File → Site Manager → New Site
Protocol: SFTP - SSH File Transfer Protocol
Host: yourdomain.com
Port: 22
Logon Type: Normal (password) or Key fileOther solid FTP clients: WinSCP (Windows, SFTP-focused), Cyberduck (Mac/Windows), Transmit (Mac, paid), and terminal tools like sftp and rsync.
FTP Server Setup
vsftpd (Linux)
# Install vsftpd (Very Secure FTP Daemon)
sudo apt install vsftpd
# Configure — edit /etc/vsftpd.conf:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
# Restart
sudo systemctl restart vsftpd
sudo systemctl enable vsftpdCommon Hosting Providers
Most shared hosting (cPanel, Plesk) still provides FTP credentials by default. You'll find them in your hosting control panel, usually under "FTP Accounts." However, check if your host also supports SFTP — most modern hosts do, and it uses the same SSH credentials.
How FTP Actually Works (Two Connections)
One quirk of FTP that causes endless firewall and NAT problems: it uses two separate connections. Port 21 is the control connection (sends commands like "list files" or "download this"). But the actual file data travels on a second, separate connection on a different port. This is why FTP often fails behind firewalls or NAT — the firewall sees the second connection as a new, unauthorized connection and blocks it.
Active mode — The server connects back to the client on a random port. Almost never works through firewalls.
Passive mode — The client initiates both connections. Much more firewall-friendly and is the default in most FTP clients today. If FTP directory listings fail but the connection works, switch to passive mode.
SFTP avoids this entire problem by running everything over a single SSH connection on port 22.
When FTP Is Still Used
Legacy shared hosting — Many budget hosting plans still provide FTP as the primary file upload method. cPanel's File Manager is essentially an FTP client in the browser.
Automated deployments (legacy) — Some older CI/CD pipelines still deploy via FTP. Modern alternatives: rsync over SSH, Git-based deployment, or cloud platform CLIs.
Printer and scanner firmware — Some network printers and scanners use FTP for scan-to-folder functionality.
Industrial and embedded systems — Manufacturing equipment, PLCs, and other embedded systems often only support FTP for firmware updates and file transfers.
Troubleshooting
"Connection refused" on port 21: FTP server isn't running or a firewall is blocking port 21. Verify the server is running (sudo systemctl status vsftpd) and that port 21 is open in your firewall.
Connected but can't list files: Passive mode issue. In FileZilla: Edit → Settings → Connection → FTP → change to Passive mode. If that doesn't help, the server's passive port range might be blocked by a firewall.
"530 Login incorrect": Wrong credentials, or the FTP user doesn't exist on the server. On Linux, FTP users are typically system users — verify the account exists and has a password set.