Nearly six million web servers worldwide still expose FTP services, leaving a 55-year-old file transfer protocol active on about 3 per cent of the global total despite long-standing security weaknesses that experts say make it unsuitable for modern internet-facing use.
Security company Censys said 5,949,954 IP addresses currently have an internet-facing FTP service, and warned that administrators should consider whether the protocol should be running at all rather than trying only to harden it.
Why legacy FTP remains exposed
Censys said FTP remains critically vulnerable because of weak authentication and the absence of encryption in many deployments. 41.1 per cent of exposed FTP services appear to have no encryption at all, meaning credentials may be transmitted in plain text.
The report suggests many administrators may be exposing FTP without realising it. More than a third of exposed services run daemons bundled with cPanel, indicating the protocol may have been enabled by default on hosting environments and then left active. Since 2024, the number of exposed FTP services has fallen by 40 per cent from more than 10.1 million, while the share of FTP-exposed servers dropped from 3.80 per cent to 2.72 per cent.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Where the servers are concentrated
The exposed FTP services are still common on older web hosting architectures, including shared hosting stacks, ISP-managed customer premises equipment and long-running virtual private servers where the protocol was provisioned years ago and continues to function.
The largest number of exposed FTP servers was found in the United States at 1.25 million, followed by China with 886,000, Germany with 468,000, Hong Kong with 416,000, Japan with 366,000 and France with 344,000.
Many of these servers are concentrated in a small number of autonomous systems operated by large hosting and broadband providers. China Unicom’s CHINA169 backbone alone accounts for about 405,000 FTP hosts, or roughly 6.8 per cent of the global total. Censys also reported that 2.8 million FTP servers run either Pure-FTPd or ProFTPD, the default FTP server options in cPanel, while another large share uses vsftpd. More than 184,000 hosts still expose FileZilla servers.
Encryption gaps and the move to SFTP
Censys said 58.9 per cent of FTP hosts, or about 3.5 million, had at least one FTP service where a completed TLS handshake was observed on the control channel. It added that 97 per cent of FTP servers protected by TLS were using up-to-date versions such as TLSv1.3 or TLSv1.2. At the same time, 2.35 million FTP services did not complete a TLS handshake during scanning, although the report said that does not automatically mean the host is insecure.
Even so, nearly one million servers still asked for credentials transmitted in plain text. Censys said the main concern was not merely that FTP remained internet-facing, but that default configurations were still accepting cleartext credentials. It recommended more secure alternatives such as SFTP and FTPS, saying FTP can often be replaced without major disruption and that, where FTP must remain in use, enabling explicit TLS is a configuration change supported natively by both Pure-FTPd and vsftpd.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
