Plesk FTP Not Working: How to Fix It

FTP connection failures in Plesk typically fall into a few distinct categories: the FTP service not running, firewall rules blocking the required ports, a passive mode misconfiguration, or incorrect FTP credentials. The error message from the FTP client (Connection refused, Connection timed out, 530 Login incorrect) usually points to which category the problem falls into. Working through each possibility in sequence is the fastest route to a resolution — this guide covers each one in order of likelihood.

Step 1: Confirm the FTP Service Is Running

Plesk uses either ProFTPD or Pure-FTPd as its FTP server, depending on the installation. Before investigating anything else, confirm the service is actually running. In the Plesk control panel, navigate to Tools & Settings → Services Management and look for the FTP Server entry. If the status shows as stopped, start it from that screen and attempt to reconnect.

If you have SSH access to the server, you can check the service state directly:

1. Log in to the server via SSH.
2. Check whether ProFTPD is installed and running:
   
   systemctl status proftpd
3. If the server uses Pure-FTPd instead:
   
   systemctl status pure-ftpd
4. If the service is inactive, start it:
   
   systemctl start proftpd
   
   or
   
   systemctl start pure-ftpd
5. Verify it is now running and check for any error output in the status response before proceeding.

A service that starts but immediately stops again indicates a configuration error or port conflict. In that case, check the FTP log (covered in the final section below) for details.

Step 2: Check Firewall Rules for FTP Ports

FTP requires two distinct port ranges to be open. Port 21 handles the control connection — authentication, commands, and responses. A second range of ports, typically 49152–65535 or a custom range defined in Plesk, is used for the data connection in passive mode. Both must be permitted for inbound connections from external addresses.

1. In Plesk, go to Tools & Settings → Firewall.
2. Confirm that port 21 (TCP) is listed as allowed for incoming connections.
3. To find the passive port range configured in Plesk, go to Tools & Settings → FTP Settings and note the Passive port range values.
4. Return to the Firewall settings and confirm the entire passive port range is open for inbound traffic.
5. If your server sits behind a provider-level firewall (common with cloud VPS providers), log in to the hosting control panel and confirm those same ports are permitted at the network level — Plesk’s own firewall is irrelevant if traffic is blocked upstream.

If you make changes to the Plesk firewall, apply them and wait a moment before retesting. Changes take effect immediately but the FTP client may need a fresh connection attempt.

Step 3: Use Passive Mode (PASV) in the FTP Client

Most modern FTP clients default to passive mode, but it is worth confirming explicitly. In active mode, the server initiates a connection back to the client on a port the client specifies. This almost always fails when the client is behind a NAT router or corporate firewall, because the inbound connection from the server is blocked.

1. In FileZilla, open Site Manager and select the connection for the server in question.
2. Click the Transfer Settings tab.
3. Set the transfer mode to Passive.
4. Save and reconnect.

In WinSCP, the equivalent setting is under Session → Advanced → Connection → FTP — set the transfer mode to Passive. If you are connecting via a command-line FTP client, issue the passive command after connecting to toggle passive mode on.

Step 4: 530 Login Incorrect — Credentials Issue

FTP credentials in Plesk are separate from the Plesk control panel login. The FTP username for a subscription is the system user associated with that subscription, not the email address used to log in to Plesk. On some Plesk setups, the username includes a domain suffix. Using the wrong username format is one of the most common causes of 530 errors.

1. In Plesk, navigate to Websites & Domains and select the relevant domain.
2. Click FTP Access.
3. Note the FTP username shown — use this exact string in the FTP client, including any suffix if present.
4. To reset the password, click the username and set a new password. Passwords must meet complexity requirements.
5. Update the credentials in the FTP client and reconnect.

If additional FTP accounts have been created for the subscription (for example, for a developer or staging directory), these are listed separately under FTP Access and each has its own independent password.

Step 5: SFTP as an Alternative

If FTP continues to be unreliable, SFTP (SSH File Transfer Protocol) is a more robust and secure alternative. It operates over a single port (22), which simplifies firewall configuration considerably, and all data is encrypted in transit. It is supported natively by FileZilla, WinSCP, and Cyberduck.

1. In Plesk, go to Websites & Domains and select the relevant domain.
2. Click SSH Access.
3. Set the shell access to /bin/bash or another permitted shell (not Disabled).
4. In the FTP client, create a new connection using protocol SFTP, host as the server IP or domain, port 22, and the same FTP username and password used for standard FTP access.
5. Connect and confirm access.

Once SFTP is working, there is rarely a need to return to plain FTP. If company policy or a legacy application requires FTP specifically, continue with the steps below.

Step 6: FTP Works Locally But Not Remotely

If FTP connections succeed from the server itself (or from within the same network) but fail from an external location, the problem is almost certainly the passive port range being blocked at the firewall level. The control connection on port 21 may be passing through, but the data connection on the passive ports is being dropped before any file transfer can begin.

1. Confirm the passive port range in Plesk: Tools & Settings → FTP Settings → Passive port range.
2. Verify those ports are open for inbound TCP traffic in the Plesk firewall (Tools & Settings → Firewall).
3. Log in to any upstream or provider-level firewall and confirm the same range is permitted there.
4. If the server is behind a NAT device, confirm the passive port range is forwarded to the server’s internal IP address.
5. Retry the FTP connection from an external network and monitor the client log for whether the data connection is reaching the server.

Checking the FTP Log

When the cause of a connection failure is not immediately obvious, the FTP server log is the most reliable diagnostic tool. It records each connection attempt, the username presented, and the reason for any failure or disconnection.

For ProFTPD, the log is located at:

/var/log/proftpd/proftpd.log

For Pure-FTPd, the transfer log is at:

/var/log/pure-ftpd/transfer.log

To watch the log in real time during a connection attempt:

tail -f /var/log/proftpd/proftpd.log

Look for lines referencing the connecting IP address. A 530 Login incorrect line confirms a credentials mismatch. A connection that appears and then immediately disappears with no authentication attempt points to a firewall or passive mode issue. A 500 OOPS or similar error from Pure-FTPd often indicates a permissions problem on the home directory for the FTP user, which can be corrected by resetting the subscription’s file permissions from Websites & Domains → the domain → Fix WordPress File Permissions (or the equivalent repair tool for non-WordPress subscriptions).

Working through these steps in sequence resolves the vast majority of Plesk FTP issues. If the problem persists after covering all of the above, raise a support ticket with your hosting provider and include the relevant log entries — this significantly reduces the time needed to identify the root cause.

Related articles: Plesk Troubleshooting Guide