When you first start working with FTP, you’ll quickly hear about two key port numbers: 21 and 20. It's not just one port, but a pair, and understanding why is the first step to mastering file transfers. This design is fundamental to how FTP works.
Think of it like calling a business. You first dial the main reception number (Port 21) to state your purpose and get authenticated. Once you've requested a specific document, they transfer you to a different extension (Port 20) to actually receive it. This separation keeps the main line clear for new requests.
This dual-port system splits the commands from the data. For anyone in Australia managing a website, like a WordPress site, getting this right is crucial for setting up firewalls and making sure your file transfers don't get blocked.
Port 21: The Control Channel
Every FTP session begins on Port 21. When your FTP client (like FileZilla or Cyberduck) connects to a server, it's knocking on the door of Port 21. This is the control channel, and it's where all the management happens.
- Authentication: You send your username and password through this port to log in.
- Giving Orders: Once connected, you issue commands like
LISTto see your files,RETRto download something, orSTORto upload a file. - Managing the Session: All the background chatter that keeps your connection alive and organised happens here.
Essentially, Port 21 is the mission control for your file transfer. It coordinates the entire operation but doesn't handle the actual file data itself.
Port 20: The Data Channel
After you've given a command on Port 21—say, to download a big image file—the server opens a separate connection on Port 20. This is the data channel, and its sole purpose is to move your files back and forth.
This separation was a clever design choice for efficiency. By keeping commands and data on different channels, a large file transfer couldn't bog down the system and stop you from issuing new commands.
However, this classic two-port setup is often the culprit behind common connection issues. Modern firewalls, designed to be very strict, can get confused by a server trying to open a new, secondary connection on Port 20. They often see it as suspicious and block it.
If this is all new to you, it might be helpful to take a step back. You can get a solid primer by reading our guide on what FTP is and how to use it.
Active vs. Passive FTP: A Practical Guide
Have you ever tried to connect to an FTP server, only for it to hang and eventually time out? It’s a classic problem, and the cause is often a misunderstanding of how FTP actually moves data. The culprit is usually the tug-of-war between two different methods: Active Mode and Passive Mode.
Figuring out which one to use is the key to solving most connection headaches. Let’s break it down with a simple analogy. Imagine you're arranging for a package to be delivered.
How Active FTP Mode Works
In Active Mode, your computer (the client) kicks things off by connecting to the server's command port, Port 21. It sends a message saying, "Hi, I'm ready for a file. Please send it back to me on my Port X." The server then opens a separate, new connection from its data port (Port 20) back to that specific port on your computer to send the file.
Think of it like calling a courier and giving them your home address. You're telling them exactly where you are and expecting them to show up at your front door. It sounds simple enough, but this is where modern security gets in the way.
The big problem with Active Mode is your firewall. Most firewalls on your computer or home router are set up to reject any connection they didn't see you start. When the FTP server tries to connect back to your machine, your firewall sees an unsolicited incoming request and slams the door shut. The result? The connection fails, and the file transfer never starts.
The diagram below shows this classic FTP port setup, with one channel for commands and another for data.
This separation of control (Port 21) and data (Port 20) is precisely what causes the firewall conflict in Active Mode.
The Modern Fix: Passive FTP Mode
This is where Passive Mode saves the day. It cleverly flips the script, making the whole process much friendlier to firewalls.
Let’s go back to our courier analogy. With Passive Mode, you call the service and ask them to leave your package in a secure locker at their depot. Instead of them coming to you, you go to a designated spot to pick it up.
Here’s how Passive Mode works in practice:
- Your computer connects to the server’s command port, Port 21, just like before.
- When it's time to transfer a file, your client asks the server to enter "passive" mode.
- The server replies, "Sure thing. I've opened up Port 55535 for you. Connect there to get your file."
- Your computer then starts a second connection to that high-numbered port to download the data.
Because your computer initiates both connections (the command and the data), your firewall sees them as legitimate outgoing traffic and lets them pass without issue. This simple change is why Passive Mode is now the standard. It sidesteps the firewall problem entirely, which is why popular FTP clients like FileZilla default to it.
The Hidden Security Risks of Standard FTP
Relying on the standard FTP protocol is a bit like shouting your website's login details across a crowded room. While it might seem straightforward, it transmits everything—usernames, passwords, and your valuable site files—as plain, unencrypted text. This isn't just a small oversight; it's a massive security vulnerability that leaves your entire digital presence exposed.
Think about it. You're at a café, using the public Wi-Fi to make a quick update to your WordPress site. Unbeknownst to you, someone else on that same network could be "listening in" on your connection. Using simple, freely available software, they can intercept your FTP traffic and read your login credentials as clearly as if you'd written them on a napkin for them.
This isn't just a hypothetical scenario. It's a very real threat that leads to defaced websites, stolen customer data, and a badly damaged reputation. Once a malicious actor gets hold of your FTP details, they essentially have the keys to your online kingdom.
Why Plain Text Transmission Is Unacceptable
The core failing of the standard FTP protocol is its complete absence of encryption. When your data is sent as plain text, it means it has absolutely no defence against prying eyes.
Here’s exactly what’s laid bare during a standard FTP session:
- Your username and password: Handing an attacker full administrative control.
- Your files: Allowing them to download, alter, or even delete your website's content.
- Server information: Revealing technical details about your hosting setup that could be exploited in more advanced attacks.
This inherent weakness is precisely why modern security standards have moved on from FTP. Its flaws aren't something you can just patch or configure away—they are baked into the protocol's DNA from a time long before today's cyber threats existed.
The heart of the problem is that standard FTP was born in an era before widespread cybercrime was a reality. It was designed for simple file sharing on trusted, private networks, not for the hostile environment of the modern internet. For any contemporary business, especially an e-commerce store handling customer data, using FTP is a risk that's simply not worth taking.
The Documented Dangers of Exposed Ports
The risks of using unencrypted protocols are not just theoretical; they're thoroughly documented. Extensive security research looking at global internet exposure has repeatedly shown the dangers of leaving administrative services open. One such report found millions of systems exposing critical file-sharing ports, highlighting just how widespread this vulnerability is.
For Australian e-commerce businesses and WordPress site owners managed by providers like Webby, these findings reinforce why proactive security is essential. Fortunately, the industry is making a much-needed shift. Secure protocols like SSH now outnumber their older, insecure counterparts in over 50% of regions globally, showing a clear and growing awareness of the risks. You can review the full findings about internet exposure patterns to understand just how critical this transition is.
Choosing Your Secure Alternative: SFTP vs. FTPS
With the glaring security problems of standard FTP, it’s simply no longer a safe option for transferring files. Thankfully, two secure, modern protocols have stepped in to replace it: FTPS (FTP over SSL/TLS) and SFTP (SSH File Transfer Protocol).
Although their names sound almost identical, they are completely different technologies under the hood. Getting your head around the difference is vital for choosing the right setup for your website's security.
Think of it like securing an old warehouse. FTPS is like adding a brand-new, high-tech alarm system and reinforced locks to that existing warehouse. It’s still the same old building (the FTP protocol), but you've bolted a strong layer of security—SSL/TLS encryption—on top.
SFTP, on the other hand, is like deciding to build a brand-new, high-security fortress from the ground up to store your goods. It’s a completely different protocol built on the ultra-secure SSH (Secure Shell) framework, the same rock-solid technology used for secure server administration.
FTPS: The Secured Upgrade
FTPS takes the classic FTP framework and wraps it in the same encryption that protects your online banking and shopping—SSL/TLS, the tech behind HTTPS websites. While this does a great job of encrypting your data, it unfortunately inherits one of FTP’s biggest logistical headaches: its messy use of multiple ports.
An FTPS session still needs a command port and a separate data port, which can bring back those same frustrating firewall issues we see with Passive Mode FTP. Trying to correctly configure a firewall to allow this complex, multi-port communication can be tricky and often leads to connection errors.
SFTP: The Modern Standard
This is exactly where SFTP shines, and it’s the main reason why it has become the go-to choice for almost all WordPress developers and quality hosting providers today. SFTP isn't just a secured version of FTP; it's an entirely different protocol built from the ground up on the robust SSH protocol.
Its biggest advantage is its sheer simplicity and reliability. SFTP uses a single port for everything—both commands and data transfers. This is almost always Port 22, the standard port for all SSH traffic.
Because SFTP channels all its traffic through one single, predictable port, it is exceptionally firewall-friendly. There are no complex passive port ranges to open up or tricky negotiations between the client and server. It just works.
For businesses looking to move beyond the inherent risks of standard FTP, a comprehensive guide to secure data transfer can provide valuable insights into protecting sensitive information.
Comparison of FTP, FTPS, and SFTP
To make the choice even clearer, let's break down the key differences between the three main file transfer protocols. While both FTPS and SFTP are secure, their underlying architecture creates a huge difference in usability and reliability. In many ways, picking the right file transfer protocol is as important as choosing the right SSL certificate for your website—both are crucial for building trust and ensuring security.
| Feature | Standard FTP | FTPS (FTP over SSL/TLS) | SFTP (SSH File Transfer Protocol) |
|---|---|---|---|
| Security | None (plaintext) | Strong (SSL/TLS Encryption) | Strong (SSH Encryption & Authentication) |
| Foundation | Old FTP protocol | Built on the old FTP protocol | Built on the modern SSH protocol |
| Port Usage | Uses multiple ports (e.g., 21 and a data range) | Uses multiple ports (e.g., 990 or 21 and a data range) | Uses a single port (Port 22) for all traffic |
| Firewall Friendliness | Can be complex to configure | Can be complex to configure | Extremely simple and reliable |
For the vast majority of WordPress site owners in Australia, the verdict is clear. SFTP is the superior choice. Its powerful security, combined with the simplicity of using a single port, makes it far more reliable, easier to troubleshoot, and the undisputed modern standard for managing your website files securely.
Practical Security Steps for Your WordPress Site
Alright, let's move from theory to action. Understanding how FTP ports work is great, but what really counts is using that knowledge to lock down your website. Here's a straightforward checklist to make your WordPress site significantly more secure right now.
These aren't just suggestions; they are the practical standards that keep valuable data safe and businesses running smoothly. By putting these measures in place, you’re not just protecting your site—you’re protecting your customers’ trust and your reputation.
Your Security Checklist
Let’s start with the single most important change you can make: switching exclusively to SFTP. Just doing this one thing closes the door on the plain-text security risks of standard FTP and sidesteps the firewall headaches of FTPS.
Always Use SFTP on Port 22: When you set up your file transfer client, like FileZilla, make sure you explicitly choose SFTP as the protocol and enter 22 for the port. This guarantees that your login details and every file you transfer are fully encrypted.
Ask Your Host to Disable Legacy FTP: Get in touch with your hosting provider and request that they turn off standard FTP access (Ports 20 and 21) for your account entirely. This shuts down a common security hole that attackers actively search for, shrinking your site's overall "attack surface."
This approach isn't just a good idea; it's how major organisations handle security. For example, the Australian Bureau of Statistics requires its secure DataLab to use only encrypted channels for data transfer, completely blocking insecure protocols like standard FTP. You can see more on how government-level security is handled to understand just how critical this is.
Configure Your Firewall Correctly
A properly configured firewall adds another crucial layer of defence. The beauty of SFTP is that it uses a single port, which makes setting up your firewall much simpler and more secure.
The aim is to create a "deny by default" rule, where only specific, trusted traffic gets through. By limiting access to just SFTP on Port 22, you stop potential attackers from even knocking on the door of other, more vulnerable ports. This is a core principle of modern network security.
If you happen to manage your own server firewall, you can strengthen your defences even further by allowing inbound connections on Port 22 from trusted IP addresses only.
Remember, strong security is a vital part of a solid backup plan. You can learn more about how to backup your WordPress website in our detailed guide. Taking these practical steps helps build a much more resilient and secure foundation for your entire online presence.
FTP Ports: Your Questions Answered
When you're trying to manage your website's files, running into connection problems or worrying about security can be a real headache. To help you get your files where they need to go, we've put together answers to the most common questions we hear about FTP ports. Think of this as your quick-reference guide for getting things sorted.
My FTP Client Won't Connect. What's the Most Common Port Problem?
Nine times out of ten, a failed connection comes down to a firewall getting in the way. This is a classic problem with traditional FTP because it’s a surprisingly complex protocol. It needs Port 21 open for commands, but then it tries to open a second channel for the actual data transfer. In Passive Mode, this second channel uses a wide, unpredictable range of ports, which most firewalls are right to block.
This is exactly why we always recommend using SFTP instead. It keeps things simple and secure by running everything—commands and data—through a single connection on Port 22.
If you're stuck, your first move should be to double-check that you're using SFTP and aiming for Port 22. If it still doesn't work, the blockage is probably on your side. The firewall on your own computer or your office network is likely stopping the connection. You might need to add a rule to specifically allow outbound traffic on that port.
Should I Use SFTP or FTPS for My WordPress Site?
For just about any WordPress site owner in Australia, the answer is clear: SFTP (SSH File Transfer Protocol) on Port 22 is the way to go. It gives you robust security without the network headaches. Since it only uses one port, you get to sidestep all the tricky firewall rules that make FTPS so frustrating.
While FTPS is also secure, it’s built on the same messy, two-port foundation as its ancient predecessor, FTP. This often leads to baffling connection errors that are a nightmare to troubleshoot. Unless your web host has a specific, compelling reason to use it, stick with SFTP. It’s the modern, reliable standard for managing your site's files.
Can I Disable FTP if I Only Use the WordPress Dashboard?
Yes, and you absolutely should! This is a fantastic security practice. If you handle all your themes, plugins, and media uploads through the WordPress admin area and never touch an FTP client, shutting down file transfer access is a very smart move.
Doing this shrinks your site’s "attack surface"—a security term for the number of potential entry points a hacker could target. Fewer entry points mean a more secure website. Just get in touch with your hosting provider and ask them to disable all FTP and SFTP services for your hosting account. It’s a simple way to harden your site.
Does Using SFTP Slow Down My File Transfers?
The short answer is no, not really. While SFTP's encryption does add a tiny bit of processing work compared to sending files unencrypted with plain FTP, the difference in speed is practically zero for day-to-day website tasks. When you’re uploading a few images or a plugin file, any delay is measured in milliseconds.
The huge security advantage you get from protecting your login details and website data is worth far more than any tiny speed difference. The financial and reputational damage from a data breach is a much bigger risk than a fractional-second delay on an upload. Always prioritise security over a negligible speed gain.
Keeping your WordPress site secure and running at its best can feel like a full-time job. If you’d rather have an expert team manage the technical side of things, Webby Website Optimisation offers specialised WordPress help and support. From proactive maintenance and security to emergency fixes, we ensure your site is fast, safe, and reliable, so you can focus on what you do best. Learn more about our WordPress support plans.
If this post raised some questions feel free to ask me a question