What is FTP?

How does FTP work?

FTP is a client-server protocol that relies on two communications channels between the client and server: a command channel for controlling the conversation and a data channel for transmitting file content.

A typical FTP transfer works in the following way:

1. A user typically needs to log on to the FTP server, although some servers make some or all of their content available without a login, a model known as anonymous FTP.
2. The client initiates a conversation with the server when the user requests to download a file.
3. Using FTP, a client can upload, download, delete, rename, move and copy files on a server.

FTP sessions work in active or passive modes in the following ways:

• Active mode. After a client initiates a session via a command channel request, the server creates a data connection back to the client and begins transferring data.
• Passive mode. The server uses the command channel to send the client the information it needs to open a data channel. Because the client is initiating all connections in passive mode, it works well across firewalls and Network Address Translation gateways.

Users can work with FTP via a simple command-line interface from a console or terminal window in Microsoft Windows, Apple macOS or Linux. They can also use a dedicated graphical user interface designed for FTP. Web browsers can also serve as FTP clients. Using FTP through an FTP client is the most common use case, as FTP clients are easier to manage, more flexible and more powerful.

FTP's uses and benefits

FTP is a standard network protocol that enables expansive file transfer capabilities across IP networks. File and data transfer can be managed with other mechanisms besides FTP -- such as email or an HTTP web service. But these other options lack the clarity of focus, precision and control that FTP and its later iterations provide. Likewise, without FTP's ability to transfer large file sizes simultaneously, users would have to transfer multiple large files one by one.

FTP is used for file transfers between systems and has multiple common use cases, including the following:

• Backup. Backup services or individual users can use FTP to back up data from one location to a secured backup server running FTP services.
• Replication. Similar to backup, replication involves duplication of data from one system to another but takes a more comprehensive approach to provide higher availability and resilience. FTP can also be used to facilitate this.
• Access and data loading. FTP is also commonly used to access shared web hosting and cloud services as a mechanism to load data onto a remote system.
• Transferring large file sizes. FTP is commonly used to transfer large media files, such as code repositories, videos and backups between production teams.

Although FTP can transfer large files, activities like streaming video content, playing online games, using cloud storage and sharing files, might require more advanced protocols.

FTP types

An FTP server and client software can conduct a file transfer using FTP in the following ways:

• Anonymous FTP. This most basic form of FTP provides support for data transfers without encrypting data or using a username and password. It's commonly used to download material that's allowed for unrestricted distribution. It works on port 20 while in active mode and port 21 for control commands.
• Password-protected FTP. This is also a basic FTP service, but it requires the use of a username and password, though the service might not be encrypted or secure. It also works on the same ports as anonymous FTP.
• FTP Secure (FTPS). Sometimes referred to as FTP Secure Sockets Layer (FTP-SSL), this approach enables implicit Transport Layer Security (TLS) as soon as an FTP connection is established. FTPS was initially used to help enable a more secure form of FTP data transfer. It typically defaults to port 990 for implicit FTPS and port 21 for explicit FTPS.
• FTP over explicit SSL/TLS (FTPES). This approach enables explicit TLS support by upgrading an FTP connection over port 21 to an encrypted connection. Web and file-sharing services commonly use this approach to enable secure file transfers.
• Secure FTP (SFTP). This technically isn't an FTP protocol, but it functions similarly. Rather, SFTP is a subset of the Secure Shell (SSH) protocol that runs over port 22. Systems administrators commonly use SSH to remotely and securely access systems and applications, and SFTP provides a mechanism within SSH for secure file transfer.

FTP security

By default, FTP doesn't encrypt traffic, and individuals can capture packets to read usernames, passwords and other data. FTP is vulnerable to brute-force attacks against user and password authentication spoofing, an FTP bounce attack or a distributed denial-of-service attack. FTP was initially defined in 1971, predating TCP and IP, and has been redefined several times since to accommodate new technologies, including the use of TCP/IP, Request for Comments (RFC) 765, RFC 959, Internet Protocol Version 6 and RFC 2428.

FTP has also undergone several updates to enhance FTP security. These include types of FTP that encrypt via an implicit TLS connection (FTPS) or explicit TLS connection (FTPES) or that work with SFTP.

History of FTP

The first specification for FTP was published as RFC 114 on April 16, 1971, and was written by Abhay Bhushan, then a student at the Massachusetts Institute of Technology. The original idea behind FTP was to enable the transfer of files over ARPANET, the precursor to the internet.

As the modern internet began to take shape, the FTP specification underwent several revisions to align with networking standards, including TCP/IP. In 1980, a new version of FTP was defined in RFC 765 by Jon Postel, who at the time was a research scientist at the Information Sciences Institute at the University of Southern California. Five years later, FTP was redefined yet again with RFC 959, which introduced new management capabilities for the protocol, including the ability to make and remove a file directory. Prior iterations of FTP were largely limited to transferring files to and from existing file directory structures.

In 1997, RFC 959 was updated with new capabilities defined in RFC 2228 to provide security capabilities. Two years later, FTP was updated with RFC 2428 to support the IPv6 protocol.

In 2005, RFC 4217 was implemented, which defined how to use the TLS protocol with FTP to secure connections.

In 2007, RFC 3659 focused on adding extensions to the protocol which added functionality. These functionalities included providing detailed information about files, their sizes and support for restarting interrupted transfers.

In 2010, RFC 5797 established a registry for FTP commands and extensions. This began to ensure consistent implementations across different FTP clients and servers.

FTP use began to diminish after 2010, primarily in favor of more secure alternatives like SFTP and FTPS. The decline was particularly due to security flaws and the growing importance of secure data transmissions. In 2021, for example, major web browsers Google Chrome, Mozilla Firefox and Microsoft Edge all dropped support for FTP, citing security concerns.

FTP clients

FTP clients are used to upload, download and manage files on a server. Examples of FTP clients include the following:

• FileZilla. This free FTP client for Windows, macOS and Linux operating systems supports FTP, FTPS and SFTP.
• Transmit. This FTP client for macOS from Panic, Inc. supports FTP and SFTP.
• WinSCP. This free Windows FTP client supports FTP, FTPS and SFTP.
• WS_FTP. This Windows FTP client from Progress Software supports FTP, FTPS and SFTP.

FTP is one of several common network protocols. Learn about different network protocols, including alternatives to FTP.