WordPress.org

Forums

iThemes Security (formerly Better WP Security)
[BUG] Backup tool directory exploration and media dir size (4 posts)

  1. gabbuz
    Member
    Posted 11 months ago #

    Hello,
    I think to have found two bugs in the backup tool included in iThemes Security.

    The first is the directory exploration: some webservers have the directory exploration active as default (it means that if you visit a directory without an index page, it lists you the folders and files inside it).
    So, if someone tries to explore your website till the ./wp-content/uploads/ithemes-security/backups directory, it could freely access the full blog database backup. Am I right?

    The second bug comes with the WordPress network installation.
    As you know, you should set a quota for every blog in the network: this particular case will count the backups size in the main blog media quota.

    Let me know.

    Thanks,
    Gabriele

    https://wordpress.org/plugins/better-wp-security/

  2. iThemes Support
    Member
    Posted 11 months ago #

    The first is not a bug at all. As we cannot reliably detect a location on every server we store the backups, by default, in a subdirectory of the uploads folder with a .htaccess file set to protect them as much as possible. We recommend, however, moving the backup folder outside of your website root which can be done through the settings.

    The second I will investigate further.

  3. gabbuz
    Member
    Posted 11 months ago #

    For the first, I can't find the .htaccess you're talking about.
    Is the .htaccess created automatically by the plugin?

    Is the second bug maybe related to the upload folder? Maybe the media space for the main blog is counted in the upload root folder?

  4. RogerLeClerc
    Member
    Posted 11 months ago #

    Hello,

    To add to the possible bugs, I think I've found two further ones (as I've posted here: Backup emails as well as saves locally.

    I can't seem to change the backup folder (my preferred folder is not in the web root and yes, it's writeable by the website account) and every time I make a backup, it'll email it as well as saving it locally.

Reply

You must log in to post.

About this Plugin

About this Topic