FTP actually requires two ports, 21 is the main control port, and 20 is for data.
FTP is a weird protocol, it was created really early in the Internet days, before firewalls and security was thought of. As such, as designed, it sucks for firewalling.
The ftp server listens on port 21 for connections from a client. But data goes over another port. In 'classic' ftp, the server would open a connection from port 20 on the server to some ephemeral port on the client. Nowadays you can't do that, a connection from the server to a client would be blocked by a firewall, or be unavailable because of a client NAT.
In passive FTP, the server creates a new listening socket on some port for the client to connect to. Now you're trying to firewall some dynamically changing port.
That, and as others have mentioned the password is in plaintext, I'd strongly suggest http/https. It's much cleaner, unless you really need ftp. In that case, I'd only put things I'd be comfortable with anonymous ftp.
There indeed are attacks for Windows XP. But they cannot reach your computer; if you only forwarded port 21, then the only thing reachable from outside is the FTP server, not the often-exploited SMB or NetBIOS components (which, by the way, are blocked by default in XP firewall). – user1686 – 2011-05-25T21:22:22.620