Half of the 6 Million Internet-Facing FTP Servers Lack Encryption

FTP’s longevity is a double‑edged sword. Designed in the 1970s, the protocol still underpins legacy file‑transfer workflows, but its clear‑text nature makes it a prime target for eavesdropping and credential theft. The Censys scan, covering the entire IPv4 address space, reveals that nearly half of the remaining public FTP endpoints transmit data without TLS, a risk amplified by automated botnets that routinely harvest login details from such services. This exposure is especially concerning for regulated sectors where data‑in‑transit encryption is a compliance baseline.

Geographically, the United States leads with 1.2 million exposed servers, followed by China, Germany, Hong Kong, Japan and France. Major hosting and broadband providers—China Unicom, Alibaba, OVH, Hetzner, KDDI and GoDaddy—account for a sizable share, indicating that default configurations in commodity hosting environments often leave FTP unsecured. The dominance of Pure‑FTPd, ProFTPD and vsftpd reflects the open‑source ecosystem’s prevalence, yet many installations lack explicit TLS support or fail to enable AUTH TLS, leaving a large attack surface for threat actors scanning the internet.

Industry analysts recommend a phased retirement of FTP in favor of encrypted protocols. SFTP, built on SSH, and FTPS, which adds TLS to the classic FTP command set, provide strong confidentiality and integrity guarantees while maintaining compatibility with most client tools. For organizations unable to eliminate FTP immediately, enabling explicit TLS on servers like Pure‑FTPd and vsftpd is a low‑effort mitigation. As regulatory scrutiny intensifies and cloud providers tighten default security postures, the window for unsecured FTP is narrowing, prompting enterprises to prioritize remediation to avoid data breaches and potential fines.