Support » Plugin: WP Database Backup » Insecure, do not use until author updates

  • Backup files created with this plugin are stored in plain text with no read protections. If anyone knew you were using this plugin, they could guess the URL of your backups easily and download your entire database, giving them your password hashes, users, everything. DO NOT USE THIS PLUGIN until a patch is issued.

    The author should, at the very least, include a .htaccess file in the backup directory that prevents public HTTP access (this would only help apache hosts, but it’s better than nothing). A better way to secure the files would be to store them in PHP files that require a nonce to access, or include a random string in the file name. The current plugin uses the epoch time as a pseudo-random number included in the file name, which is totally acceptable, especially for a plugin that can schedule backups.

    Aside from the security issues, I like your plugin. If you would like help securing it, I’d be happy to offer advice or contribute code.

Viewing 1 replies (of 1 total)
  • Plugin Author Prashant Walke

    (@walkeprashant)

    Hi DJ Madeira,

    Thanks for your advice and support.

    Your idea and support are always welcome.
    If you have idea to improve plugin feature or security then let me know. i will try to implement in next feature version.

    Currently i have added blank index file for prevent directory listing
    also add random_number+current_timestamp in to file name to improve security.
    (it is very difficult to guess file name)

Viewing 1 replies (of 1 total)
  • The topic ‘Insecure, do not use until author updates’ is closed to new replies.