FTP Disabled by Default in Version 86

With Version 86 moving into the EDGE Tier, cPanel is disabling ftpd (the FTP service) by default. FTP, in its design, was not built to be secure. Because FTP relies on clear-text usernames and password, as well as unenforced encryption, data sent via FTP is vulnerable to various methods of attacks.

Impact

New installations of cPanel & WHM will have ftpd disabled by default, starting with Version 86. End-users that are utilizing Version 86 will not have the ability to transfer data on their servers using FTP. 

Benefits

Data transmitted using FTP is vulnerable to brute force attacks, spoofing, and sniffing. Removing the protocol from the product provides a more secure default cPanel & WHM setup and allows further server customization. 

What you can do

There are several safer alternatives to transferring data to and from your servers, including SFTP and the Web Disk feature. 

If you find the need to continue to use FTP on your server, you can either reenable via WHM’s “FTP Server Selection” tool or by running the following script:

./scripts/setupftpserver

and choosing your FTP server (pure-ftpd or proftpd) of choice. FTP can also be disabled again using those two methods.

We recommend system administrators should consider disabling the FTP service in their existing installations if their customers do not require it.

Anything else I should know?

This will not impact customers running cPanel & WHM Version 84 and older. As 86 is the new LTS (Long Term Support) version, to receive ongoing support an upgrade will eventually be required.