WordPress.org

Ready to get started?Download WordPress

Forums

BackUpWordPress
[resolved] New version 2.0.1 removes .htaccess file! (5 posts)

  1. sabrx
    Member
    Posted 1 year ago #

    Hello,

    I have just updated BackUpWordpress to the latest version, and it removes .htaccess file from the directory, where backups are stored, so all backups are accessible by anyone who knows the file name! Could you please fix this problem in the next release?

    Kind regards

    http://wordpress.org/extend/plugins/backupwordpress/

  2. Tom Willmot
    Human Made
    Plugin Author

    Posted 1 year ago #

    I've removed the reliance on using a .htaccess file for security as it didn't work in all cases (e.g. non apache servers).

    Instead the backups directory is protected from directory browsing by an index.php file and the backup filenames contain a long string of random characters making them very difficult / impossible to guess.

    BackUpWordPress is still secure.

  3. sabrx
    Member
    Posted 1 year ago #

    Dear Tom,

    thanks for you reply. I must disagree with you, because:

    - over 80% of WordPress installations are powered by Apache, hence presence of .htaccess file is meaningful
    - file names of backups do not contain any random characters, but time data. In case I backup every day, an attacker can easily guess the file name by running an automated tool that will check all 86400 (24*60*60) combinations, which is not that many. Don't you agree?

    Kind regards
    Erich Szabo

  4. Tom Willmot
    Human Made
    Plugin Author

    Posted 1 year ago #

    Both good points,

    I'll likely bring back the .htaccess in the next version as that will increase security for all Apache installs.

    Thanks for your points.

  5. sabrx
    Member
    Posted 1 year ago #

    Thanks!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.