WordPress.org

Support

Support » Plugins and Hacks » [Resolved] Backups folder without security measures

[Resolved] Backups folder without security measures

  • Samuel Aguilera

    @samuelaguilera

    Hi again!

    From 2.4 changelog:

    Changed the storage of backup files from the plugin’s directory to the uploads directory. Also added a .htaccess file for security.

    Well, you moved from the plugin’s directory to the uploads directory, that’s true. But at least at my test site the directory is created, the backup files too, but not .htaccess file was created. So the directory is completely unprotected and accesible by the world.

    By the way, I feel that uploads directory is not the place for something that it’s not an upload, and can produce some problems. For example, in this case (no .htaccess was created) the content of the backup folder can be indexed because is in an unprotected directory that is allowed to crawlers.

    If the backup directory was in wp-content/ instead o wp-content/uploads/, it would be more safe. And if you add some random part to the directory name, for example “aiowps_backups_d2G5” instead of the actual “aiowps_backups” much better too.

    Best regards!

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Author wpsolutions

    @wpsolutions

    Hi Samuel,
    The plugin will create a .htaccess file inside the “aiowps_backups” directory. It appears that this operation has for some reason failed on your site.
    I suggest for now that you manually create a .htaccess with the following contents and FTP it to the “aiowps_backups” directory:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !(wp-admin/admin.php) [NC]
    RewriteRule .* http://127.0.0.1 [L]
    </IfModule>

    The above will block all attempts at getting access to the files unless you are clicking on the backup file link in the admin panel.

    Also in the meantime I have added a log statement in our code (which will be in the release) to alert us if/when the creation of the .htaccess fails.

    Samuel Aguilera

    @samuelaguilera

    Well, I can’t see any reason for the .htacces failed to create on the host (directory and backup files were created without problems).

    But I’ll test on other sites and report back.

    By the way, adding the possibility to set the backup path in the settings would be very appreciated.

    Samuel Aguilera

    @samuelaguilera

    Tested on another site and the same result. No .htacess was created in the backups directory.

    First site is hosted on a shared hosting provider, so I don’t know very much about the server configuration. But the second one is hosted on a dedicated server that I manage and I’m sure there’s no problem with the server configuration.

    No errors were found in the Apache logs.

    Honestly I think you should check the code responsible for the .htaccess file. And take additional security measures like moving the folder to a protected dir like wp-content/ (no uploads!) and adding some random part to the backups folder name.

    The actual behaviour can be a serious security flag.

    Plugin Author wpsolutions

    @wpsolutions

    I just performed another clean installation on a new site and the plugin correctly creates the .htaccess file automatically inside the backups directory.

    I wonder if your server is for some reason not allowing the “file_put_contents” php function to execute correctly?

    Can you please check the “error_log” files on your server by going to the following menu item of this plugin:
    Filesystem Security then click the Host System Logs tab.

    Then check if there are any logs related to the “file_put_contents” command.

    Samuel Aguilera

    @samuelaguilera

    Hi!

    No errors related to “file_put_contents” or any other issue about creating files.

    I don’t think that can be the problem, because the backup file and the backups folder are created without any problem. The only missing file is the .htaccess

    It seems that the plugin simply never tries to create it… 😕

    Also file permissions tab are all green.

    Let me know if I can do any other test for you.

    Plugin Author mra13

    @mra13

    We have made some changes in our new version that should fix this file creation issue hopefully. We should have a commit today or tomorrow.

    Regarding the uploads folder question… why do you think that it is a security concern when we have a .htaccess file in that folder to prevent anyone from viewing anything inside the folder. The folder is not browse-able either (even without the .htaccess file). Also, the name of the file has a unique random prefix so no one can guess that either.

    If the contents of the backup directory do not need to be accessed from HTTP, all you need is this in that corresponding .htaccess file:

    deny from all

    A referrer can easily be spoofed.

    Samuel Aguilera

    @samuelaguilera

    Ok thanks, I’ll test when you released it and report back.

    Well, as you can see (at least at present) the .htaccess is not always created.

    If you add to this that a lot of shared hostings has “indexes” enabled (really, a lot), and you put the folder in wp-content/uploads/ that has not any “index.php” file protecting from directory listing, and finally you used a fixed name for the backup folder.

    So someone can simply create a script to run over WP sites with the path to backup (because they know the full path because of the fixed name) and find installations with indexes enabled and then grab all the files on it.

    Maybe the best choice would be to add a new option to plugin settings allowing user to put the full path where they want to create the backup folder. (This adds the option to the user to choose even a path outsite of the public access).

    Or if you don’t want that, at least adds some random part to the folder name and put it on wp-content (no uploads) that it’s protected from directory listing with an index.php file by WP core files.

    Plugin Author mra13

    @mra13

    Okies… we will move it to the wp-content folder.

    Samuel Aguilera

    @samuelaguilera

    Thank you very much! 😉

    Plugin Author mra13

    @mra13

    The new version should take care of this.

    Samuel Aguilera

    @samuelaguilera

    I can confirm new version is working fine and creates all files, including .htaccess and blank index.html 🙂

    Thank you!

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘[Resolved] Backups folder without security measures’ is closed to new replies.