“`html
Per a recent report from April 2026 by security analyst Himaja Motheram at Censys, slightly under 6 million internet-exposed hosts continue to operate the File Transfer Protocol (FTP).
Although this represents a notable 40% reduction from the 10.1 million servers recorded in 2024, the ongoing existence of this decades-old protocol remains a risk for exposure due to prevalent insecure default settings.
The Censys analysis emphasizes that the prevailing narrative of FTP exposure in 2026 stems not from specialized file transfer systems, but rather from a buildup of platform defaults on shared hosting environments and broadband providers.
The Condition of Encryption and Regional Threats
Regarding the security of these servers, the findings show a varied landscape. Censys determined that approximately 58.9% of detected FTP hosts successfully completed a Transport Layer Security (TLS) handshake, indicating their support for encrypted connections.
Nonetheless, this indicates that roughly 2.45 million hosts lack observable evidence of encryption, possibly allowing them to transfer files and credentials in cleartext.
The degree of encryption adoption varies considerably by region. Based on Censys data, mainland China and South Korea report the lowest TLS adoption rates among the top 10 hosting nations, at 17.9% and 14.5%, correspondingly.
In contrast, Japan accounts for 71% of all FTP servers worldwide that still depend on obsolete, deprecated legacy encryption protocols such as TLS 1.0 and 1.1.
The security posture of these 6 million servers is significantly shaped by the default configurations of the software daemons operating them.
Key technical insights from the Censys report encompass:
- Dominance of Pure-FTPd: Functioning on about 1.99 million services, this is the most prevalent FTP daemon, mainly due to its incorporation as a default in cPanel hosting settings.
- The IIS FTP Configuration Pitfall: More than 150,000 Microsoft IIS FTP services generate a “534” error response, indicating that TLS was never configured.
While IIS defaults to a policy that seemingly demands encryption, it does not assign a security certificate during a new installation.
As a result, the server permits cleartext credentials, even though the configuration appears to enforce TLS.
- Concealed Nonstandard Ports: Limiting scans to port 21 overlooks a substantial portion of the attack surface.
Tens of thousands of FTP services operate on alternate ports, such as 10397 or 2121, often associated with specific telecom functions or network-attached storage devices.
Mitigation and Fortification Approaches
For enterprise defenders and infrastructure operators, Censys strongly advises assessing whether FTP is indeed necessary before proceeding to harden it.
Organizations should take into account the following mitigation measures:
- Shift to Secure Alternatives: Whenever feasible, substitute FTP with SSH File Transfer Protocol (SFTP), which encrypts credentials and data by default over port 22.
- Enforce Explicit TLS: If antiquated FTP infrastructure must stay online, administrators ought to configure their daemons to mandate Explicit TLS (FTPS) and deny cleartext connections.
- Correct IIS Certificate Bindings: Windows Server administrators using IIS FTP should guarantee that a valid certificate is bound to the FTP site and confirm that the SSL policy effectively enforces encryption.
Ultimately, while the internet’s dependency on FTP is gradually declining, millions of instances persist quietly in the background.
As Censys cautions, the fundamental risk is not sophisticated zero-day exploits, but rather the mere neglect to update default configurations that leave systems unnecessarily vulnerable.
“`