[resolved] New version 2.0.1 removes .htaccess file! (5 posts)

  1. sabrx
    Posted 3 years ago #


    I have just updated BackUpWordpress to the latest version, and it removes .htaccess file from the directory, where backups are stored, so all backups are accessible by anyone who knows the file name! Could you please fix this problem in the next release?

    Kind regards


  2. Tom Willmot
    Human Made
    Plugin Author

    Posted 3 years ago #

    I've removed the reliance on using a .htaccess file for security as it didn't work in all cases (e.g. non apache servers).

    Instead the backups directory is protected from directory browsing by an index.php file and the backup filenames contain a long string of random characters making them very difficult / impossible to guess.

    BackUpWordPress is still secure.

  3. sabrx
    Posted 3 years ago #

    Dear Tom,

    thanks for you reply. I must disagree with you, because:

    - over 80% of WordPress installations are powered by Apache, hence presence of .htaccess file is meaningful
    - file names of backups do not contain any random characters, but time data. In case I backup every day, an attacker can easily guess the file name by running an automated tool that will check all 86400 (24*60*60) combinations, which is not that many. Don't you agree?

    Kind regards
    Erich Szabo

  4. Tom Willmot
    Human Made
    Plugin Author

    Posted 3 years ago #

    Both good points,

    I'll likely bring back the .htaccess in the next version as that will increase security for all Apache installs.

    Thanks for your points.

  5. sabrx
    Posted 3 years ago #


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • BackUpWordPress
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.