WordPress.org

Support

Support » Plugins and Hacks » Backup » [Resolved] Backups visible on the web?

[Resolved] Backups visible on the web?

  • Using the default settings for local backup the index of mysite.com/wp-content/backups seems to be visible on the web and anyone could download my backups. I’ve changed the backup location to a non-web accessible location.
    Shouldn’t there be a warning about this or a suggestion to change htaccess?

    http://wordpress.org/extend/plugins/backup/

Viewing 2 replies - 1 through 2 (of 2 total)
  • This is a serious issue. I recommend everyone to review the plugin configuration and change the Local folder path. Adding a longer random string at the end should do the trick.

    The plugin author has to initialize the path on initialization with a not guessable value. Or even use a path which is not web-readable at all.

    The logfile exposes existence of the vulnerability. Also consider censoring the exact path in the log output so users do not accidentally publish their site configuration.

    Thanks for the input guys. I am working on version 2.1 of the plugin and am addressing this issue.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Resolved] Backups visible on the web?’ is closed to new replies.
Skip to toolbar