FileZilla security

Om glad to hear its working & BTW get rid of FileZilla and install WinSCP. FileZilla can be fully remote controlled by the server version of the app. WinSCP cannot be remotely controlled & you can configure passwords on the sites just to be able to open them.

That seems a bit unlikely to me. Do you have a source for that?


Sorry Admin at the moment I was a little confused, its actually the client version that can take over the server and remote control it.
I think FileZilla has many security issues, for example you can brute force or buffer overflow the listening server and gain access to the user names & passwords. When you export the sites to file, the default file name is filezilla.xml. The files passwords are encoded in Base64 (at least for me it is) so go to and click decode, the passwords should be there.
Amongst IT security people the general consensus is that FileZilla is a total POS, and WinSCP by design is a much more secure client to use.
Here is some good info. regarding the pitfalls that come with using FileZilla. How do you remotely control the Server - FileZilla Forums

I split the posts to a separate topic. I think it’s an interesting discussion, but not really relevant to the previous topic.

We do recommend using FileZilla client, but we don’t use FileZilla Server ourselves. I don’t know a lot about FileZilla Server except that it’s an FTP server for Windows, which by itself makes it not relevant for us.

But the server having flaws doesn’t mean the client is bad.

Brute force and buffer overflow are two vastly different kinds of attacks.

Any login system is technically susceptible to brute force attacks. If you just try to login with as many credentials as possible, you’re bound to stumble upon credentials that work at some point. There are ways to mitigate it (like rate limiting), but no system is fool proof.

A buffer overflow on the other hand means that there is actually a bug in the program regarding memory management. Those can be really bad.

But now you’re talking about FileZilla Server, we’re talking about the client here.

Again: do you have a source for that?

What an export file is named is pretty much irrelevant. The purpose of an export file is to be able to copy the data to somewhere else, like a replacement system or a backup store. An export file that’s impossible to find is not a particularly useful export file.

Admittedly, password storage in FileZilla has traditionally been it’s weak spot. Stored passwords were not encrypted at rest. But they added an option to disable password storage years ago, and now have the ability to set a Master Password that’s used to encrypt the other stored passwords.

Still, it’s not a great look that they had to implement this after the fact. But it doesn’t inherently make FileZilla unsafe to use.

Again, this is about FileZilla Server, not the client. It does not apply here.

Another reason we recommend FileZilla is for platform compatibility. WinSCP, like the name suggests, is only for Windows. FileZilla is available for Windows, MacOS and Linux. I don’t use Windows myself anymore, so I can’t exactly vouch for WinSCP while I’ve never used it myself.


Hello, lead FileZilla Server developer here. I am going to respond to some of the raised points that concern me.

Actually that was true only until 2019. At the end of that year I was specifically hired to rewrite the FileZilla Server from scratch and make it portable across multiple platforms. It left its 0.x “beta” and its now at version 1.7.2, officially supported on Windows, MacOS and Linux.

FileZilla Server implements various techniques to mitigate brute force attacks, like automatically banning connections from IP addresses that have shown to be malicious and throttling of login attempts if they keep failing.

As for buffer overflows, none has been reported so far. FileZilla Server has undergone thorough scrutiny by the Open Technology Fund’s Red Team Lab, who performed a penetration test and found only minor issues, none of which was a buffer overflow.

That link points to a 12 years old post that pertains to the ancient version of FileZilla Server. Versions 1.x fully encrypt the administration protocol, which has been penetration tested like all the rest of the application.

Additionally, passwords are hashed and salted with strong cryptographic algorithms before being encoded in base64.


Hello guys,

Admin, did you rat me out to the developer guy? lol

I get your points that most of the info is about older versions of the server and client. I think that an already compromised computer & their knowledge of Filezlla’s existence on the hacked computer makes FileZilla client or server an easy mark for obtaining credentials… Maybe a simple export of the sites could do the trick. Many of the security deficiencies come from the already hacked computer & FileZilla’s posture that “It’s not our problem its your machine that has been hacked”.
I have seen evidence with my own eyes of them downloading files out of Filezilla, They even setup a new site to transfer the files over to an outside IP address.

Mr. developer, I’m sure you know there are still many more recent complaints about security and FileZilla, and I have to say with all due respect many of them state that your developer team were rude and flippant when dealing with user complaints.

I think anything I have said can be verified with google searches. SO I encourage you to find out for yourself. I’m not here to crap all over Filezilla & I’ve said everything I can on the matte, except…

When I saw personally the hack I mentioned earlier and them downloading’s FileZilla files made me think it was not for me. I believe that WinSCP does not have the same exposure issues, but does not run on Mac or Linux.
I’m spending my money on a hardware firewall. I also unfortunatly have an insecure Router/modem provided by my ISP.

1 Like

Actually no, I don’t know anything of the sort, neither google searches have brought up anything other than this very discussion you opened (that’s how I found it).

Could you please provide evidence? I’d be glad to address any of those “recent complaints”.


I did not. They came here out of their own initiative. I did not promote this topic to anyone anywhere, I can only guess how they found this topic in the first place.

Interesting, that’s news to me!

I don’t think we will switch from Pure-FTPd any time soon as it’s worked very well for us (and it natively supports CentOS/AlmaLinux, instead of being targeted at Debian only), but it’s great to see FileZilla server is available on Linux servers too.

The fact that FileZilla already supports encrypting stored passwords proves that they at least consider the situation of FileZilla running on a compromised system. But the reality is of course that on a compromised system where all files, memory, network traffic and user interaction can be intercepted, there is only so much you can do.

Yet neither @Oibafa nor myself are unable to find anything. If you say there is evidence to be found online, perhaps you could share the evidence with us instead of asking us to hunt for information we’re not convinced even exists?


Google. :slight_smile:


Just my thoughts. This is a public forum that gets indexed on search engines; I’m surprised the OP wasn’t expecting other people to find it.


The real truth is that we were all mentally calling Fabio… Fabio…
and now you can no longer leave this forum and you will stay here like all of us.


Hey guys,
Here are some more people stating their dislike of Filezilla.,detected%20by%20anti-virus%20software

Malware - FileZilla Forums.

Even your wiki page has sections called Criticisms , client issues, plain text passwords, etc. A great reference section too.

I have to agree that the issues seem to have been solved in 2019. Unfortunately for you guys, there is a 20 year reputation to live down & its much easier to find info about the bad side of FileZilla, and not much about how good it has become (very recently in relative terms). Maybe in another 20 years the older posts will be gone.

I did not start this thread and it feels like beating a dead horse by now… I think simply doing an evaluation of the product by searching on the net makes it look like your products are lacking and weak in the security area. I do have some related experience and am not just an end user. What I initially read about the SW was not good. Have I changed my mind about it all…not really. So that’s the way she goes boys. There are plenty of free ftp apps with stellar reputations to choose from.

Bring on the insults and backhanded comments. I have a right to my opinion.

Oxy I don’t understand your comment, do you care to elaborate?

Basically most of the regulars here first came to ask a question regarding hosting support, or something happened related to another service and one of the staff came here.


The issues you’re linking to date back to 5 years, which while I’ll agree may not be a good look for how the project handled things back in the days, does not speak for the current situation, and is something out of the control of the current developers of the server app such as @Oibafa.

That may not have been your intention, but you did start an offtopic discussion around about FS’ security, so this discussion was created by you.

I don’t think anyone insulted you or made a backhanded comment about you, or your opinion. You have the right to it, and whether your mind changes by something or not is entirely controlled by you. That being said, to the majority of us, you’ve failed to support your position’s argument, which was exactly why you were constantly asked for proof (and the ones you linked to I do not deem sufficient, but that’s a different discussion).

When posting an opinion that reflects on the security of software, and especially when you’re not citing sources to support your argument, you can expect criticism to come along your way. This isn’t a personal attack on you; and just as you have the right to share your own opinion on a subject, others have the right to share theirs too, especially when they feel your opinion might not correlate with the facts while attempting to present itself as such.

He’s joking about how Oibafa (Filezilla Server developer) will now have to be an active member of our forum since he participated in this discussion :stuck_out_tongue:


Ah, yes, the FileZilla bundled adware. I remember that one.

The main problem behind that is that FileZilla used SourceForge to distribute their software. Before that happened, SourceForge was a trusted platform used by many open source projects such as GIMP and Open Office. But then the owners of SourceForge decided they wanted more money and started distributing malware along with the installers for software they hosted. This may have resulted in some users of FileZilla who wanted to install or update their favorite FTP client installing malware.

But you can’t really blame FileZilla for that one. They used a known, trusted platform, and then the owners of that platform decided to go evil. There isn’t a lot you can do about that except for doing everything in-house.

And it was, or maybe even is, not uncommon for free software to bundle sponsored addons which you needed to opt-out from during installation. Is it what users want? No. But it would be hypocritical for me to say that free things don’t deserve to make money or show ads.

You have a right to your opinion of course, and if what you know of FileZilla makes you not trust it, that’s all up to you. But we will not stop recommending FileZilla to people. It’s a great FTP client with a good security track record and good security culture. So I see no harm in people using it right now.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.