APPROXIMATELY 6 million internet-accessible systems are using FTP today, and almost half of them do not use encryption, according to Censys. The number of hosts running an internet-facing FTP service has fallen by about 40% since 2024, from 10.1 million to 5.94 million, yet the protocol still accounts for 2.72% of all internet-visible systems.
Of the 2.45 million FTP hosts that lack encryption, 994,000 do not implement AUTH TLS on the scanned port, 813,000 ask for a password before establishing an encrypted channel, and more than 170,000 do not have explicit TLS support. Most FTP-visible hosts are in the United States (1.2 million), with China, Germany, Hong Kong, Japan, and France also hosting significant numbers.
Pure-FTPd remains the most commonly running server, followed by ProFTPD and vsftpd, while Microsoft’s IIS accounts for 259,000 services, more than 150,000 of which have never had encryption set up. Organisations are urged to remove FTP or move to encrypted alternatives such as SFTP or FTPS, and if FTP must stay, to enable Explicit TLS where possible.