The Open Ports section of your scan report shows which network ports are publicly accessible on your server. Think of ports as numbered doorways into your server — each one allows a specific type of network traffic.
What is a Port?
Every server connected to the internet uses numbered ports to manage different types of connections. When someone visits your website, their browser connects to port 443 (HTTPS) or port 80 (HTTP) on your server. Your email might use port 25 (SMTP) or port 993 (IMAP). There are 65,535 possible ports, and each one can be open (accepting connections), closed (rejecting connections), or filtered (silently dropping connections).
What We Check
Our scan uses Nmap, an industry-standard network scanning tool, to check which TCP ports are open on your server and what services are running behind them.
Which Ports Are Normal?
Most websites only need a handful of ports open:
- Port 80 (HTTP) — Standard web traffic. Usually redirects to HTTPS. Normal to see open.
- Port 443 (HTTPS) — Encrypted web traffic. This should be open for any website.
- Port 22 (SSH) — Secure shell access for server administration. Common on self-hosted servers, but ideally restricted to specific IP addresses.
Which Ports Are Concerning?
Some ports, if left open to the public internet, represent a significant security risk:
- Port 3306 (MySQL) — This is a database port. If this is open, your database may be directly accessible from the internet. This is almost never intentional and is a critical risk.
- Port 5432 (PostgreSQL) — Another database port. Same concern as MySQL.
- Port 27017 (MongoDB) — Another database port. Historically one of the most commonly exploited open ports.
- Port 3389 (RDP) — Remote Desktop Protocol. If open, anyone can attempt to log into your server with a graphical desktop session. A frequent target for brute-force attacks.
- Port 21 (FTP) — File Transfer Protocol. Sends credentials in plain text. Should be replaced with SFTP (which runs over port 22).
- Port 23 (Telnet) — An unencrypted remote access protocol. There is no legitimate reason to have this open in 2026.
What to Look For in Your Report
Each port in your report is assigned a risk level:
- Critical / High risk — Database ports, remote access ports, or other services that should never be publicly accessible. These require immediate attention.
- Medium risk — Ports that are not inherently dangerous but may not need to be public (e.g., SMTP on a server that isn't a mail server).
- Low / Info — Expected ports like 80 and 443. No action needed.
What You Can Do
If your report shows high-risk open ports, the fix depends on your hosting setup:
- Managed hosting (Squarespace, Wix, WordPress.com) — You typically can't control port configuration. Contact your hosting provider if unexpected ports appear.
- VPS or dedicated server — Use your server's firewall (e.g., ufw on Linux) to close unnecessary ports. Only keep open what you actively use.
- Cloud hosting (AWS, Google Cloud, Azure) — Use security groups or firewall rules to restrict access to necessary ports only.
The general principle is simple: if you don't know why a port is open, it probably shouldn't be.