- FTP is still running a lot due to forgotten default configurations
- Millions of servers expose FTP without active administrative awareness
- Encryption inconsistencies leave many FTP connections completely unprotected online
File Transfer Protocol (FTP) is one of the oldest methods of moving files over the Internet, designed in an era when online security was not a primary concern.
According to Censys, it still runs on nearly 6 million servers, primarily because it was enabled by default within hosting panels and subsequently forgotten, rather than being maintained through conscious administrative choices.
Because of its persistent and often unnoticed operations, security experts are now questioning whether this 55-year-old protocol should be used at all.
The article continues below
FTP continues to exist in modern infrastructure
“If FTP shows up in your asset inventory, the first question is not how to harden it, it’s whether to run it at all. Use a more secure alternative,” warns Censys.
A significant part of the FTP exposure problem stems from control panel ecosystems that enable the protocol by default during initial server provisioning.
This means that the service often remains active through unattended configuration rather than through any affirmative choice made by the administrator.
Another big problem is that many FTP servers are not intentionally installed as a primary service.
They often come bundled with hosting platforms and control panels where they are activated automatically during setup.
Over time, they remain active without regular review, making it difficult for organizations to know exactly how many FTP services they are running.
This creates silent risks that can go unnoticed for long periods of time within normal operations.
It also reflects a broader infrastructure pattern where convenience-driven services continue to operate long after their initial necessity has faded.
That persistence often leaves administrators wondering what still matters, what can be removed, and what has simply been forgotten.
FTP’s handling of passwords and other sensitive data during transmission is a major concern.
In some setups, FTP can still send login credentials in plain text, which means they can be intercepted if someone is watching network traffic.
Although some servers now support encryption, many still fail to use it or are incorrectly configured for secure connections.
This inconsistency exists because support varies across software packages and depends heavily on installation choices made early on.
As a result, organizations often face fragmented environments where some traffic is protected while other connections remain exposed in plaintext.
Security researchers also note that FTP daemons behave differently, with some treating encryption as optional and others requiring overlooked administrative steps.
In practice, this leads to inconsistent protection across the Internet, depending on how each server was originally configured.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
