htaccess and Kangaroos cannot jump here

There’s a bit of a security risk with the backups folder.

The message “Kangaroos cannot jump here” is always displayed when it’s accessed directly, which is fine. However, the message itself tells the world that the plugin is installed on the website. Also, the .htaccess file does not limit access to the backup files ending in .wpress. With no other security plugins a user is free to guess (or brute force search) names of the backup files and then download the files.

When I try to overwrite the .htaccess file it’s automatically overwritten by the plugin, so I’m unable to tighten security.

I think it would be better to return a plain 404 so that there is no hint that the plugin is installed. Also I think public access to the backup files should be prevented using the .htaccess file. For example with the following or something similar.

`# Deny access to files with extensions .ini, .psd, .log, .sh
<FilesMatch “\.(ini|psd|log|sh|zip|wpress|bz2|gzip|php|config|html)$”>
Order allow,deny
Deny from all

</FilesMatch>

thanks