- FTP still works largely due to forgotten default configurations
- Millions of servers expose FTP without active admin awareness
- Encryption inconsistencies leave many online FTP connections completely unprotected
File Transfer Protocol (FTP) is one of the oldest methods of moving files across the Internet, designed at a time when online security was not a major concern.
According to Censys, it still works on nearly 6 million servers, mainly because it was enabled by default in hosting panels and then forgotten about, rather than being maintained by deliberate administrative choice.
Due to its persistent and often unnoticed operations, security experts are now questioning whether this 55-year-old protocol should be used.
Article continues below
FTP continues to persist in modern infrastructure
“If FTP appears in your asset inventory, the first question is not how to harden it, but rather whether it should be run. Use a more secure alternative,” Censys warns.
A considerable portion of the FTP exposure problem comes from control panel ecosystems that enable the protocol by default during initial server provisioning.
This means that the service often remains active through unattended configuration rather than through an affirmative choice made by the administrator.
Another major problem is that many FTP servers are not deliberately installed as a primary service.
They often come bundled with hosting platforms and control panels, where they are activated automatically during installation.
Over time, they remain active without regular review, making it difficult for organizations to know exactly how many FTP services they are running.
This creates discreet risks that may go unnoticed for long periods of time during ordinary operations.
It also reflects a broader infrastructure model in which convenience-driven services continue to operate long after their initial necessity has passed.
This persistence often leaves administrators uncertain about what still matters, what can be removed, and what has simply been forgotten.
FTP’s handling of passwords and other sensitive data during transmission is a major concern.
In some configurations, FTP may still send connection information in plain text, which means it could be intercepted if someone is monitoring network traffic.
Although some servers now support encryption, many still fail to use it or are poorly configured for secure connections.
This inconsistency exists because support varies between software packages and is highly dependent on installation choices made at the beginning.
As a result, organizations often face fragmented environments in which some traffic is protected, while other connections remain exposed in clear text.
Security researchers also note that FTP daemons behave differently, with some treating encryption as optional and others requiring neglected administrative steps.
In practice, this leads to inconsistent protection across the Internet, depending on each server’s initial configuration.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
