According to a recent April 2026 report by security researcher Himaja Motheram at Censys, just under 6 million internet-facing hosts are still running the File Transfer Protocol (FTP).
While this marks a significant 40% decline from the 10.1 million servers observed in 2024, the presence of this decades-old protocol continues to pose an exposure risk due to widespread insecure default configurations.
The Censys report highlights that the dominant story of FTP exposure in 2026 is not purpose-built file transfer infrastructure, but rather an accumulation of platform defaults on shared hosting networks and broadband providers.
The State of Encryption and Regional Risks
When it comes to securing these servers, the data reveals a mixed landscape. Censys found that roughly 58.9% of observed FTP hosts completed a Transport Layer Security (TLS) handshake, meaning they support encrypted connections.
However, this leaves approximately 2.45 million hosts without observed evidence of encryption, potentially allowing them to transmit files and credentials in cleartext.
The lack of encryption adoption varies significantly by region. According to Censys data, mainland China and South Korea have the lowest TLS adoption rates among the top 10 hosting countries, at 17.9% and 14.5%, respectively.
Meanwhile, Japan accounts for 71% of all FTP servers globally that still rely on outdated, deprecated legacy encryption protocols such as TLS 1.0 and 1.1.
The security posture of these 6 million servers is heavily influenced by the default settings of the software daemons running them.
Key technical observations from the Censys report include:
- Pure-FTPd Dominance: Operating on roughly 1.99 million services, this is the most common FTP daemon, largely driven by its inclusion as a default in cPanel hosting environments.
- The IIS FTP Configuration Trap: Over 150,000 Microsoft IIS FTP services return a “534” error response, indicating TLS was never configured.
While IIS defaults to a policy that appears to require encryption, it does not bind a security certificate upon a fresh installation.
Consequently, the server accepts cleartext credentials, even though the configuration appears to enforce TLS.
- Hidden Nonstandard Ports: Relying only on port 21 scans miss a significant portion of the attack surface.
Tens of thousands of FTP services run on alternate ports, such as 10397 or 2121, often tied to specific telecom operations or network-attached storage devices.
Mitigation and Hardening Strategies
For enterprise defenders and infrastructure administrators, Censys strongly recommends evaluating whether FTP is truly necessary before attempting to harden it.
Organizations should consider the following mitigation strategies:
- Migrate to Secure Alternatives: Whenever possible, replace FTP with SSH File Transfer Protocol (SFTP), which encrypts credentials and data by default over port 22.
- Enforce Explicit TLS: If legacy FTP infrastructure must remain online, administrators should configure their daemons to enforce Explicit TLS (FTPS) and refuse cleartext connections.
- Fix IIS Certificate Bindings: Windows Server administrators using IIS FTP must ensure that a valid certificate is bound to the FTP site and verify that the SSL policy actively enforces encryption.
Ultimately, while the internet’s reliance on FTP is slowly shrinking, millions of instances continue to run quietly in the background.
As Censys warns, the primary risk is not advanced zero-day attacks, but the simple failure to update default configurations that leave systems unnecessarily exposed.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
