Support » Plugin: BackUpWordPress » Heads Up

  • Resolved AITpro


    I was able to beat this relatively quickly and compromise a test site.

    define( 'HMBKP_SECURE_KEY', md5( ABSPATH . time() ) );

    I was not able to compromise the test site by changing this code.

    $contents[]	= '# ' . sprintf( __( 'This %s file ensures that other people cannot download your backup files.', 'hmbkp' ), '.htaccess' );
    		$contents[] = '';
    		//$contents[] = '<IfModule mod_rewrite.c>';
    		//$contents[] = 'RewriteEngine On';
    		//$contents[] = 'RewriteCond %{QUERY_STRING} !key=' . HMBKP_SECURE_KEY;
    		//$contents[] = 'RewriteRule (.*) - [F]';
    		//$contents[] = '</IfModule>';
    		$contents[] = 'order deny,allow';
    		$contents[] = 'deny from all';
    		$contents[] = '';

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Tom Willmot


    Hey there,

    Thanks for flagging this, could you email me at so we can carry this conversation on in private.

    Kind Regards,

    Tom Willmot

    Plugin Author Tom Willmot


    Just to followup here, I’ve been working with AITpro off-list.

    Ultimately it lead to an improvement in how the HMBKP_SECURE_KEY is generated which would make his approach impossible.

    I’ll release this in the next release, it’s a minor security hardening issue.

    “Improvement” is an understatement – Your solution is absolutely brilliant!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Heads Up’ is closed to new replies.