55 years since its introduction, 6 million FTP servers are still exposed on the open internet

Published: 15 April 2026
Last updated: 16 April 2026
old-computer

Nearly 6 million web servers – about 3% of the global total – still expose FTP services, relying on the 55-year-old legacy file transfer protocol. Due to inherent security weaknesses, security experts urge users to migrate to newer SSH File Transfer Protocol (SFTP).

Censys, a security company that scans the entire public internet for exposed vulnerabilities, warns that 5,949,954 IP addresses have an internet-facing FTP service. The FTP protocol was introduced exactly 55 years ago, on April 16th, 1971.

It is critically vulnerable: FTP has a weak authentication mechanism, and many deployments (41.1%) appear to have no encryption at all, meaning that credentials are being sent in plain text.

ADVERTISEMENT

Many web administrators may be exposing FTP without even realizing it. Over a third of exposed FTP services run daemons that come with cPanel, a software that hosting providers install for their customers to manage their servers. FTP was likely enabled by default, and customers didn’t turn it off.

“If FTP is showing up in your asset inventory, the first question isn’t how to harden it, it’s whether it should be running at all. Use a more secure alternative,” Censys warns in a new report.

The obvious alternative is SSH File Transfer Protocol, released 29 years ago, offering superior security.

Since 2024, the number of exposed FTP services has decreased by 40%, down from over 10.1 million. However, the total number of servers on the internet also increased, albeit by a smaller amount. In two years, the share of FTP-exposed servers dropped from 3.80% to 2.72%.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Where are FTP servers still running?

It appears that FTP services are still ticking on older web hosting architectures, where customers share resources and configuration models – including legacy shared hosting stacks. FTP can be found on ISP-managed customer premises equipment (CPE), as well as long-running virtual private servers where FTP was provisioned once and still works.

Most exposed FTP servers are in the US – 1.25 million, followed by China (886,000), Germany (468,000), Hong Kong (416,000), Japan (366,000), and France (344,000).

ADVERTISEMENT

The Cybernews community is talking about this. Be a part of the conversation.

Many of the FTP servers are concentrated on a few autonomous systems operated by major hosting and broadband providers. China Unicom’s CHINA169 backbone alone accounts for roughly 405,000 FTP hosts (~6.8% of the global total).

“The security posture of the world’s FTP servers is likely heavily influenced by the default configurations of a small number of large operators,” Censys explains.

Has my data been leaked?
Check Now

The security company reports that 2.8 million FTP servers run either the PureFTPd or ProFTPD daemons, which are the default FTP server options in cPanel.

The third most popular option, vsftpd, comes as a standard FTP daemon shipped with most major Linux distributions, followed by Microsoft's legacy web and FTP server platform, IIS (Internet Information Services).

top daemons ftp
Image by Censys.

Over 184,000 hosts still expose FileZilla servers, which might be deliberate installation choices by their administrators.

Encryption is optional

ADVERTISEMENT

“The good news is that 58.9% of FTP hosts (approximately 3.5 million) had at least one FTP service where Censys observed a completed TLS handshake on the control channel. This is a higher percentage than most practitioners would expect,” Censys said.

Surprisingly, 97% of FTP servers protected by TLS were using up-to-date versions, such as TLSv1.3 or TLSv1.2. Japan accounted for roughly 71% of exposed servers with legacy TLS protocols.

However, 2.35 million FTP services didn’t complete the TLS handshake during scanning. This doesn’t automatically mean that the host is insecure.

personal data leaking concept

“Those hosts are not necessarily transmitting credentials in cleartext. A daemon could support TLS but fail to negotiate it with our scanner for reasons unrelated to its configuration. What the absence of an observed handshake does mean is that there is no recorded evidence of encryption,” Censys explained.

Still, nearly a million servers asked to provide credentials transmitted in plain text.

“FTP being internet-facing is not the concern: FTP being internet-facing with default configurations that accept cleartext credentials is.”

SFTP is a quick fix

Censys doesn't expect FTP to go away any time soon. Still, experts recommend using more secure alternatives. FTP server owners risk attackers attempting brute-force or credential-sniffing attacks to gain access.

“SFTP (SSH File Transfer Protocol) and FTPS both provide encrypted file transfer with broadly compatible client support. For most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively,” Censys explains.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked