Overview
WHM uses Pure-FTPd as its built-in FTP daemon. On a fresh cPanel/WHM server, Pure-FTPd is typically installed automatically, but it may not be running, may be misconfigured for your firewall rules, or may have been disabled after a security hardening pass. This article covers how to enable, configure, and verify Pure-FTPd from within WHM.
The most common scenario where you’ll need this: you’ve spun up a new VPS or dedicated server running cPanel/WHM, your client is trying to connect via FileZilla, and the connection just times out. Nine times out of ten it’s either the service isn’t running or passive mode ports aren’t open in your firewall. Both are fixable in under ten minutes.
If you’re running a Reseller Hosting account and need to manage FTP access for your clients’ cPanel accounts, most of this still applies — though your access to the WHM FTP settings depends on what your parent host has delegated to you.
Prerequisites
- Root or reseller access to WHM
- cPanel/WHM version 106 or later (steps are consistent across recent versions)
- SSH root access recommended for firewall configuration
- If using CSF (ConfigServer Security & Firewall) or another firewall, you’ll need access to open TCP port ranges
- An FTP client for testing — FileZilla is free and works well
Step-by-Step: Configuring Pure-FTPd in WHM
Step 1: Verify Pure-FTPd Is Installed
Before touching any settings, confirm the daemon is actually installed on the server.
rpm -qa | grep pure-ftpd
# Expected output example:
# pure-ftpd-1.0.49-1.cp11202.x86_64If nothing comes back, install it via WHM’s package manager or reinstall via cPanel’s built-in script:
/scripts/installpureftp📝 Note: On cPanel servers, Pure-FTPd is managed through the cPanel packaging system, not the OS package manager directly. Always use /scripts/ utilities when available rather than yum or dnf alone.
Step 2: Enable FTP in WHM’s Service Manager
- Log in to WHM at
https://your-server-ip:2087 - In the left sidebar search box, type Service Manager and click it
- Scroll to Pure-FTPd in the service list
- Make sure both Enabled and Monitor checkboxes are ticked
- Click Save at the bottom of the page
With Monitor enabled, cPHulk and the cPanel service watchdog will automatically restart Pure-FTPd if it crashes. I’d always leave that on.
Step 3: Configure FTP Settings in WHM
- Go to WHM > Service Configuration > FTP Server Configuration
- Review these key settings:
- FTP Port: Default is
21. Leave this unless you have a specific reason to change it. - Allow Anonymous Logins: Set to No unless you’re intentionally running a public FTP drop — which you almost certainly aren’t.
- Passive IP Address: If your server sits behind NAT (common on cloud VPS setups), you need to enter the server’s public IP here, not the internal one. This is the single most common reason passive mode connections fail.
- Passive Port Range: Set a defined range, e.g.
49152to65534. You’ll open these same ports in your firewall in the next step. - TLS/SSL Encryption: Set to Required or at minimum Enabled. Plain FTP sends credentials in cleartext — don’t leave this off on a production server.
Click Save when done. WHM will write the configuration and restart Pure-FTPd automatically.
Step 4: Open Firewall Ports for Passive FTP
⚠ Warning: Skipping this step is the reason most FTP setups appear to work on active mode but fail for clients behind NAT (basically everyone using a home router or corporate network). Passive mode is what modern FTP clients use by default.
If you’re using CSF/LFD (the most common firewall on cPanel servers), open the passive port range like this:
# Edit the CSF config
nano /etc/csf/csf.conf
# Find TCP_IN and add your passive port range:
# TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,49152:65534"
# Save the file, then restart CSF:
csf -rAlso make sure port 21 (FTP control) is open if it isn’t already. After restarting CSF, test a passive connection from your FTP client before declaring it done.
📝 Note: If you’re using a cloud provider firewall (AWS Security Groups, DigitalOcean Firewall, Hetzner Cloud Firewall, etc.) in addition to CSF, you need to open the passive port range there too. The OS-level firewall and the cloud-level firewall are independent.
Step 5: Restart and Verify the Pure-FTPd Service
# Restart the service
/scripts/restartsrv_ftpd
# Check it's running and listening on port 21
ss -tlnp | grep :21
# Expected output:
# LISTEN 0 128 0.0.0.0:21 0.0.0.0:* users:("pure-ftpd",pid=XXXXX,fd=4))If the port isn’t showing as LISTEN, check /var/log/messages or journalctl -u pure-ftpd for startup errors.
Step 6: Create an FTP Account in cPanel
FTP accounts are created per cPanel account, not at the WHM level. Have your client (or you, if it’s your own account) do the following:
- Log in to cPanel
- Go to Files > FTP Accounts
- Fill in the username, set a strong password, and define the directory (e.g.
/public_htmlfor full site access) - Click Create FTP Account
The full FTP username will be in the format username@domain.com. Make sure your client uses that full format when connecting, not just the short username.
Common Issues & Troubleshooting
Connection Times Out in Passive Mode
Cause: Passive port range is not open in the firewall, or the passive IP in Pure-FTPd config points to the internal/private IP instead of the public IP.
Fix: Double-check the Passive IP Address field in WHM’s FTP Server Configuration — it must match what a client sees when they connect externally. Then confirm the passive port range is open in both CSF and any upstream cloud firewall. This is the most common FTP issue on VPS environments.
530 Login Authentication Failed
Cause: Usually one of three things: wrong username format (missing the @domain.com suffix), incorrect password, or the account’s home directory doesn’t exist on disk.
Fix: Verify the FTP account exists in cPanel under FTP Accounts. Check that the home directory path exists. Also check /var/log/messages for auth errors from Pure-FTPd — it logs failed logins with more detail than the client displays.
Pure-FTPd Not Starting After a Reboot
Cause: The service isn’t enabled in WHM’s Service Manager, or a config file has a syntax error that prevents startup.
Fix: Run /scripts/restartsrv_ftpd and watch the output. If it fails, check the Pure-FTPd config at /etc/pure-ftpd.conf for obvious errors. You can also run:
pure-ftpd --help 2>&1 | head -20
journalctl -xe | grep pure-ftpdTLS Certificate Errors in FTP Client
Cause: Pure-FTPd is configured to require TLS but the certificate it’s using is self-signed or expired. This happens after a server rebuild or if AutoSSL hasn’t run yet.
Fix: In WHM, go to Service Configuration > Manage Service SSL Certificates and install a valid certificate for the FTP service. If you’ve already got an AutoSSL certificate for the hostname, you can install it there. Alternatively, temporarily set TLS to Enabled (not Required) while you sort the cert — but don’t leave it that way long-term.
FTP Works for One Account but Not Another
Cause: The broken account’s home directory permissions are wrong, or the account has been suspended.
Fix: Check account suspension status in WHM under Account Information > List Suspended Accounts. If not suspended, verify directory permissions:
ls -la /home/cpanelusername/The home directory should be owned by the cPanel username with permissions 711. If it’s set to something like 000, Pure-FTPd will silently reject the connection.
FAQ
Frequently Asked Questions
How do I find my FTP hostname for a cPanel account?
Use your domain name or your server’s hostname as the FTP host — for example, ftp.yourdomain.com or the server’s main IP address. Both will work as long as DNS is resolving. Port is 21 by default. You’ll find the exact details in cPanel under Files > FTP Accounts, where a ‘Configure FTP Client’ link shows the connection settings for each account.
Is Pure-FTPd the only FTP server option in WHM?
On modern cPanel/WHM installations (v96 and later), Pure-FTPd is the only supported FTP daemon. ProFTPd support was deprecated and removed. If you have a legacy server still running ProFTPd, a cPanel update will likely switch it to Pure-FTPd automatically.
Should I use FTP or SFTP for file transfers?
SFTP (SSH File Transfer Protocol) is the better choice for security — it encrypts both credentials and data over SSH, runs on port 22, and doesn’t require separate firewall rules for passive mode. FTP with TLS (FTPS) is acceptable if SFTP isn’t an option for a specific client. Plain FTP with no encryption should be avoided on any production server.
Why does FileZilla connect fine on my office network but fail from home?
This is almost always a passive mode issue. Home routers and many ISPs block or interfere with FTP passive port ranges. Make sure passive mode is enabled in FileZilla (it’s the default), your server’s passive port range is open in the firewall, and the Passive IP in WHM’s FTP configuration is set to the server’s public IP address — not an internal one.
Can I disable FTP entirely and just use SFTP on a cPanel server?
Yes. Go to WHM > Service Manager, uncheck Enabled next to Pure-FTPd, and save. SFTP will still work through the SSH daemon independently. I’d recommend this on any server where you control all the accounts and don’t have clients who specifically need FTP — it reduces your attack surface without losing any real functionality.