What is FTP? Learn how File Transfer Protocol works, why it’s insecure, and how sFTP replaces it. Complete guide to FTP vs sFTP vs FTPS for 2026 hosting.
If you’ve ever needed to move files between computers over a network, you’ve encountered the problem FTP was designed to solve. But what is FTP exactly, and why does a protocol from 1971 still show up in modern hosting documentation?
FTP stands for File Transfer Protocol – a standardized method for transferring files between a client (your computer) and a server (your hosting) over a network connection. The question “what is FTP” comes up frequently because the protocol’s name appears everywhere in hosting tutorials despite being largely replaced by more secure alternatives.
Understanding what is FTP, how it works, and why it’s being phased out helps explain modern hosting documentation. This article covers the technical reality of FTP, when it’s still useful, and why you’ll increasingly see “sFTP” or “FTPS” recommended instead.
TL;DR
FTP is a client-server protocol designed to transfer files over TCP/IP networks. The protocol specification defines how a client connects to a server, authenticates with credentials, navigates directories, and uploads or downloads files.
At the network level, FTP operates on port 21 for the control connection. When you connect to an FTP server, your client establishes a command channel that handles login, directory listing, file operations, and other instructions. File transfers themselves use a separate data connection on a dynamically assigned port.
This two-channel architecture is what makes FTP both powerful and complicated. The control connection stays open throughout your session while data connections open and close as needed for each file transfer. Firewalls and NAT routers struggle with this design because they can’t predict which ports FTP will use for data transfers.
When you connect to an FTP server, the process follows this sequence:
The client initiates a TCP connection to the server’s port 21. The server responds with a welcome message and waits for credentials. The client sends a username, then a password. The server authenticates and grants access to the file system within the configured permissions.
From there, you can navigate directories, list files, upload new files, download existing files, delete files, rename items, and change permissions. Every action sends a command through the control channel. File transfers open a new data connection for the duration of that specific transfer.
FTP supports two transfer modes that determine how the data connection is established: Active and Passive. In Active mode, the server initiates the data connection back to the client. In Passive mode, the client initiates both connections. Passive mode resolves most firewall problems, which is why modern FTP clients default to it.
FTP was designed in 1971 when the internet was a small, trusted network of research institutions. Security wasn’t a primary concern. The protocol sends credentials and file contents in cleartext – anyone monitoring network traffic can intercept passwords and read transferred files.
This fundamental design flaw is why FTP persists as a teaching example of “what not to do in network protocol design” despite its continued use. The protocol works reliably for file transfer, but it does nothing to protect that transfer from eavesdropping or tampering.
Modern hosting environments offer encrypted alternatives to plain FTP. The naming is confusing because “SFTP” and “FTPS” sound similar but work completely differently.
| Protocol | Full Name | Encryption | Port | How It Works | |—|—|—|—| | FTP | File Transfer Protocol | None (cleartext) | 21 | Original protocol from 1971; everything unencrypted | | FTPS | FTP Secure (FTP over TLS) | TLS/SSL | 21 or 990 | Adds encryption layer to FTP; same protocol underneath | | sFTP | SSH File Transfer Protocol | SSH encryption | 22 (or custom) | Completely different protocol; runs over SSH tunnel |
FTPS is FTP with TLS encryption bolted on. It uses the same two-channel architecture as regular FTP but wraps the connections in SSL/TLS. Configuration is more complex because both the control and data channels need separate TLS handshakes. FTPS works in two modes: Explicit (starts as FTP then upgrades to TLS) and Implicit (TLS from the start).
sFTP is not “secure FTP” despite what the name suggests. It’s an entirely separate protocol that runs over an SSH connection. sFTP uses a single encrypted tunnel for all operations – no separate data channel, no dynamic ports, no firewall headaches. This makes sFTP simpler to configure and more reliable through NAT.
When hosting documentation says “use sFTP,” they mean the SSH-based protocol, not FTP with security added. The protocols are incompatible – an FTP client configured for port 21 won’t connect to an sFTP server on port 22.
FTP clients provide the graphical interface for file transfers. The most common options are FileZilla (cross-platform, free, supports FTP/FTPS/sFTP), WinSCP (Windows, free, excellent for sFTP), Cyberduck (Mac/Windows, clean interface), and Transmit (Mac, paid, professional features).
These clients all work similarly: local files on one side, remote server files on the other, drag and drop to transfer. The client handles the protocol complexity – establishing connections, managing authentication, queuing transfers, retrying failures, and maintaining directory synchronization.
Modern FTP clients support all three protocols (FTP, FTPS, sFTP) through different connection profiles. You select the protocol type, enter credentials, and the client handles the rest. This abstraction is why many users don’t realize they’re using sFTP instead of FTP – the interface looks identical.
Configuration differs by protocol. FTP needs hostname and port 21. FTPS adds an encryption setting. sFTP needs SSH credentials and possibly a private key file. The client documentation explains these options, but the core interface remains the same across protocols.
Despite security problems, FTP appears in several legitimate contexts:
Legacy systems and old software sometimes require FTP because they were built before secure alternatives existed. Updating these systems costs more than the perceived security risk, so FTP persists. Internal networks behind firewalls sometimes use FTP for bulk transfers where encryption overhead isn’t justified. Embedded devices and network equipment often include basic FTP servers for firmware updates or configuration backups.
These use cases don’t justify FTP for modern web hosting. If your hosting account uses FTP for website management, that’s a red flag. Any hosting provider in 2026 should support sFTP or FTPS as the minimum standard for file access.
The argument “but I’m just uploading HTML files, what’s the risk” misses the point. FTP sends your hosting password in cleartext. Someone capturing that password gains full access to your server, databases, email accounts, and any other services tied to those credentials. The security risk isn’t the files you transfer – it’s the credentials you expose every time you connect.
Current hosting platforms have moved beyond FTP entirely. The replacement options include sFTP over SSH (encrypted, single connection, works through firewalls), web-based file managers built into control panels, Git-based deployment (push code from repository to server), and rsync for efficient synchronization.
These alternatives solve FTP’s fundamental problems. sFTP encrypts everything including credentials. Web file managers run over HTTPS. Git and rsync support secure authentication through SSH keys. None of these protocols expose passwords to network sniffing.
WebHostMost is a clear example of this shift. We don’t support FTP at all – the protocol is completely disabled on our infrastructure. Instead, we provide sFTP access on port 2323 using SSH key authentication. Every file transfer happens through an encrypted tunnel. Your credentials never touch the network in cleartext.
This approach eliminates an entire category of security vulnerabilities. Users can’t accidentally connect with unencrypted FTP because the server simply doesn’t listen on port 21. The only option is sFTP, which forces secure practices by default.
Before troubleshooting FTP connection issues, understanding transfer modes helps:
| Mode | Who Initiates Data Connection | When It Fails | Recommended Use |
|---|---|---|---|
| Active | Server connects back to client | Client behind firewall/NAT (home networks, offices) | Avoid in modern environments |
| Passive | Client initiates both connections | Server behind restrictive firewall (rare with proper hosting) | Default choice for most situations |
In FTP clients like FileZilla: Edit → Settings → Connection → FTP → Transfer Settings → Passive. This single setting resolves most “connection established but directory listing fails” problems.
Active mode worked fine in the 1970s when clients had direct internet connectivity. Modern home routers using NAT make this impossible – the server can’t initiate connections back to the client’s internal IP address. Passive mode fixes this by having the client initiate all connections.
| Symptom | Likely Cause | Fix |
|---|---|---|
| Connection refused on port 21 | Server doesn’t support FTP, or ISP blocks port | Verify server supports FTP; try sFTP instead |
| Connection timeout | Wrong hostname, server offline, or network issue | Check hostname spelling; verify server status |
| Login incorrect | Wrong credentials or username format | Verify username (may need user@domain format) |
| Connected but can’t list directories | Firewall blocking passive mode | Switch client to Passive mode in settings |
| Transfer starts then freezes | Active mode with NAT router | Use Passive mode; check firewall rules |
| SSL certificate error (FTPS) | Certificate not trusted by client | Review certificate details; click Accept if legitimate |
| Permission denied on upload | Insufficient permissions on server directory | Check file permissions (755 for directories, 644 for files) |
| Files uploaded but don’t appear | Wrong directory, or cache issue | Verify you’re in public_html or correct web root |
| “Too many connections” error | Previous session didn’t disconnect cleanly | Wait 5 minutes for server timeout; restart client |
| Binary vs ASCII mode issues | Wrong transfer mode for file type | Use Binary mode (default in modern clients) |
| Server doesn’t support sFTP | Trying to use sFTP with FTP-only server | Confirm server capabilities; may need FTPS instead |
FTP (File Transfer Protocol): Network protocol from 1971 for transferring files between computers. Uses port 21. Sends all data unencrypted.
Control Connection: The command channel in FTP that handles login, directory navigation, and file operations. Stays open throughout the session.
Data Connection: Separate channel in FTP that transfers actual file contents. Opens and closes for each transfer.
Active Mode: FTP transfer mode where the server initiates the data connection back to the client. Fails with NAT and most firewalls.
Passive Mode: FTP transfer mode where the client initiates both the control and data connections. Works through firewalls and NAT.
FTPS (FTP Secure): FTP protocol with TLS/SSL encryption added. Uses port 21 (Explicit) or port 990 (Implicit). More complex than sFTP.
sFTP (SSH File Transfer Protocol): Completely different protocol from FTP. Runs over SSH (usually port 22). Single encrypted connection for everything.
Binary Transfer Mode: Transfer mode that sends files byte-for-byte without modification. Required for images, executables, archives. Default in modern clients.
What does FTP stand for?
FTP stands for File Transfer Protocol. It’s a network protocol designed to transfer files between computers over TCP/IP networks like the internet.
Is FTP secure?
No. Standard FTP sends all data including usernames, passwords, and file contents in cleartext without encryption. Anyone monitoring network traffic can intercept FTP credentials and data.
What’s the difference between FTP and sFTP?
FTP is the original unencrypted protocol from 1971 using port 21. sFTP is SSH File Transfer Protocol – a completely different protocol that runs over an encrypted SSH connection (usually port 22). Despite similar names, they’re incompatible protocols.
What port does FTP use?
Standard FTP uses port 21 for the control connection. Data transfers use dynamically assigned ports. FTPS uses port 21 (Explicit mode) or port 990 (Implicit mode). sFTP typically uses port 22 (SSH port) but can run on any port.
Can I use FTP with FileZilla?
Yes. FileZilla supports FTP, FTPS, and sFTP. When creating a connection, select the protocol type and enter the appropriate credentials. The interface looks the same regardless of which protocol you use.
Why does my hosting provider say “FTP not supported”?
Modern hosting providers disable FTP because it’s insecure. They offer sFTP (over SSH) or FTPS (FTP with TLS) instead. This protects your credentials and data from network eavesdropping.
What is Active vs Passive FTP?
These are transfer modes that determine how the data connection is established. Active mode has the server connect back to the client (fails with NAT/firewalls). Passive mode has the client initiate both connections (works everywhere). Always use Passive mode on modern networks.
Do I need FTP to upload a website?
No. Modern hosting offers multiple upload methods: sFTP (encrypted file transfer), web-based file managers in control panels, Git deployment, and SSH with rsync or SCP. Plain FTP is the least secure option and often disabled.
Can FTP transfer folders?
Yes. FTP clients can upload or download entire directory structures. The client recursively processes folders and transfers all files within them. Queue management in the client handles large batch transfers.
What is FTPS and how is it different from sFTP?
FTPS is regular FTP with TLS/SSL encryption added on top. It uses the same two-channel architecture as FTP. sFTP is a completely different protocol that runs over SSH with a single encrypted connection. sFTP is simpler and more widely supported.
How fast is FTP compared to other transfer methods?
FTP transfer speed depends on network bandwidth, not the protocol. FTP, FTPS, and sFTP achieve similar speeds on the same connection. The encryption overhead in FTPS and sFTP is negligible on modern hardware.
What credentials do I need for FTP?
FTP requires: hostname (server address or domain), port (usually 21 for FTP, 22 for sFTP), username (often your hosting account username), and password. sFTP may also need an SSH private key file instead of a password.
WebHostMost has completely disabled FTP support because the protocol’s security problems can’t be fixed – they’re fundamental to the design. Instead, we provide sFTP access on port 2323 using SSH key authentication.
Every new WebHostMost account comes preconfigured with SSH keys and sFTP access. You receive a .ppk private key file that authenticates your connection without exposing passwords over the network. This approach eliminates credential theft from network monitoring while maintaining the same drag-and-drop file transfer interface you’d get with FTP clients.
Our Web Control Panel also includes a built-in file manager for quick edits and small uploads without needing any client software. For larger deployments, Git integration lets you push updates directly from your repository to the server.
The question “what is FTP” matters less than understanding why we’ve moved beyond it. FTP solved file transfer in 1971. sFTP solves secure file transfer in 2026. Check our plans to see how modern hosting handles file access.
Understanding what is FTP explains both why the protocol persists and why modern hosting has moved to encrypted alternatives. FTP worked for decades because it solved a real problem – transferring files between computers. The protocol’s fundamental flaw is sending everything unencrypted, which made sense in 1971 but is unacceptable in 2026.
The shift from FTP to sFTP isn’t about adding features. It’s about fixing security problems that can’t be patched without replacing the protocol entirely. sFTP provides the same file transfer functionality with encryption that protects credentials and data from network interception.
When evaluating hosting providers, check whether they still support plain FTP. If they do, that’s a signal about their security priorities. Modern hosting should offer sFTP as the minimum standard, with FTP disabled completely.
