- FTP still runs widely due to forgotten default configurations
- Millions of servers expose FTP without active administrative awareness
- Encryption inconsistencies leave many FTP connections completely unprotected online
The File Transfer Protocol (FTP) is one of the oldest methods for moving files over the internet, designed during an era when online security was not a primary concern.
According to Censys, it still runs on almost 6 million servers primarily because it was activated by default within hosting panels and subsequently forgotten, rather than being maintained through deliberate administrative choice.
Due to its persistent and often unnoticed operations, security experts now question whether this 55-year-old protocol should be used at all.
Article continues below
FTP continues to persist in modern infrastructure
“If FTP is showing up in your asset inventory, the first question isn’t how to harden it, it’s whether it should be running at all. Use a more secure alternative,” Censys warns.
A considerable portion of the FTP exposure problem originates from control panel ecosystems that enable the protocol by default during initial server provisioning.
This means the service often remains active through unattended configuration rather than through any affirmative choice made by the administrator.
Another major issue is that many FTP servers are not deliberately installed as a primary service.
They often come bundled with hosting platforms and control panels, where they are enabled automatically during setup.
Over time, they remain active without regular review, making it difficult for organizations to know exactly how many FTP services they are running.
This creates quiet risks that can remain unnoticed for long periods within ordinary operations.
It also reflects a broader infrastructure pattern where convenience-driven services continue operating long after their original necessity has faded.
That persistence often leaves administrators uncertain about what still matters, what can be removed, and what has simply been forgotten.
FTP’s handling of passwords and other sensitive data during transmission is a major concern.
In some setups, FTP can still send login details in plain text, which means they could be intercepted if someone is watching network traffic.
Although some servers now support encryption, many still fail to use it or are misconfigured for secure connections.
This inconsistency exists because support varies across software packages and depends heavily on installation choices made early on.
As a result, organizations often face fragmented environments where some traffic is protected, while other connections remain exposed in clear text.
Security researchers also note that FTP daemons behave differently, with some treating encryption as optional and others requiring overlooked administrative steps.
In practice, this leads to inconsistent protection across the internet, depending on how each server was originally configured.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
You must be logged in to post a comment Login