‘The first question isn’t how to harden it, it’s whether it should be running at all’: Security experts explain why you really shouldn’t be running FTP servers anymore
- FTP still runs widely due to forgotten default configurations
- Millions of servers expose FTP without active administrative awareness
- Encryption inconsistencies leave many FTP connections completely unprotected online
The File Transfer Protocol (FTP) is one of the oldest methods for moving files over the internet, designed during an era when online security was not a primary concern.
According to Censys, it still runs on almost 6 million servers primarily because it was activated by default within hosting panels and subsequently forgotten, rather than being maintained through deliberate administrative choice.
Due to its persistent and often unnoticed operations, security experts now question whether this 55-year-old protocol should be used at all.
Article continues below
FTP continues to persist in modern infrastructure
“If FTP is showing up in your asset inventory, the first question isn’t how to harden it, it’s whether it should be running at all. Use a more secure alternative,” Censys warns.
A considerable portion of the FTP exposure problem originates from control panel ecosystems that enable the protocol by default during initial server provisioning.
This means the service often remains active through unattended configuration rather than through any affirmative choice made by the administrator.
Another major issue is that many FTP servers are not deliberately installed as a primary service.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
They often come bundled with hosting platforms and control panels, where they are enabled automatically during setup.
Over time, they remain active without regular review, making it difficult for organizations to know exactly how many FTP services they are running.
This creates quiet risks that can remain unnoticed for long periods within ordinary operations.
It also reflects a broader infrastructure pattern where convenience-driven services continue operating long after their original necessity has faded.
That persistence often leaves administrators uncertain about what still matters, what can be removed, and what has simply been forgotten.
FTP’s handling of passwords and other sensitive data during transmission is a major concern.
In some setups, FTP can still send login details in plain text, which means they could be intercepted if someone is watching network traffic.
Although some servers now support encryption, many still fail to use it or are misconfigured for secure connections.
This inconsistency exists because support varies across software packages and depends heavily on installation choices made early on.
As a result, organizations often face fragmented environments where some traffic is protected, while other connections remain exposed in clear text.
Security researchers also note that FTP daemons behave differently, with some treating encryption as optional and others requiring overlooked administrative steps.
In practice, this leads to inconsistent protection across the internet, depending on how each server was originally configured.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Source
FTP still runs widely due to forgotten default configurations Millions of servers expose FTP without active administrative awareness Encryption inconsistencies leave many FTP connections completely unprotected online The File Transfer Protocol (FTP) is one of the oldest methods for moving files over the internet, designed during an era when online…
Recent Posts
- Apple has banned home service content on upcoming Maps ads
- Google might not kneecap the Pixel 11a with an old processor
- How to watch France vs England: Free Streams, TV Channels & Kick-Off time for FIFA World Cup 2026 third place play-off
- EV tech is trickling down to hybrid and combustion vehicles, and I’m here for it
- X and music publishers quietly settle opposing lawsuits
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023