WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Backup to Dropbox
[resolved] Security Implications when using wpb2d (5 posts)

  1. object81
    Member
    Posted 1 year ago #

    After using this plugin for a while I today discovered that it makes a SQL dump and places this in wp-content/backups/wordpress_SITENAME-backup-core.sql.

    This SQL dump can be downloaded by anyone. I'm actually not sure if the server or the plugin somehow is misconfigured or this is a default behaviour of wpb2d.

    I disabled the plugin until I know what happens here.

    http://wordpress.org/extend/plugins/wordpress-backup-to-dropbox/

  2. Michael De Wildt
    Member
    Plugin Author

    Posted 1 year ago #

    Gday,

    The SQL removed when the backup completes so there is only a small window to guess your site name and grab the file.

    If you have .htaccess enabled on your server then you can add one to the backups directory containing 'deny from all'.

    This will make it impossible for users to download the SQL dump. The plugin used to write this file but I had to remove the feature because it was causing other issues.

    Hmm, security by obscurity is probably the best option here and I will make some changes for the next release.

    Cheers,
    Mikey

  3. object81
    Member
    Posted 1 year ago #

    Thank you!

    Will look into htaccess change and look forward for your next release. Nice work!

  4. Michael De Wildt
    Member
    Plugin Author

    Posted 11 months ago #

    Version 1.5 now appends a SHA1 secret to these files making it impossible to guess.

    Cheers,
    Mikey

  5. Phantec
    Member
    Posted 9 months ago #

    this is not resolved beacause it is writen to log file which is very easy to read:
    Uploading large file 'blog-backup-core.sql.SHA1-wpb2d-secret' (xMB) in chunks

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic