Title: Securing backup folder
Last modified: August 21, 2016

---

# Securing backup folder

 *  [dinoframe](https://wordpress.org/support/users/dinoframe/)
 * (@dinoframe)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/securing-backup-folder/)
 * I found that the folder with backup files is actually publicly accessible from
   the Internet. You just need to know a URL to access it.
    WP is installed on Windows
   platform. Why is it not protected by default and there is no warning about it?
   What is the recommended way to protect the folder? There is .htaccess file in
   the folder, but it does not work in IIS
 * [https://wordpress.org/plugins/backupwordpress/](https://wordpress.org/plugins/backupwordpress/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [Tom Willmot](https://wordpress.org/support/users/willmot/)
 * (@willmot)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/securing-backup-folder/#post-4811016)
 * Hey Dino,
 * The plugin does a couple of things to avoid people being able to view your backups.
 * 1. The folder name contains a random string of letters and numbers, so it should
   be unguessable.
    2. There is a blank `index.html` which should ensure that even
   if directory listing is turned on anyone viewing who manages to view the backups
   directory would just load the blank index.html file 3. On Apache the directory
   is protected by a `.htaccess` which checks for a nonce to ensure that the request
   to download a backup came from the wp-admin.
 * The fact that you can’t predict the location of the backups directory means that
   it’s highly unlikely someone would be able to access your backups, I consider
   that alone enough security.
 * I’d definitely accept a [Pull Request](https://github.com/humanmade/backupwordpress/)
   to add the same `.htaccess` protection to IIS though.
 *  Thread Starter [dinoframe](https://wordpress.org/support/users/dinoframe/)
 * (@dinoframe)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/securing-backup-folder/#post-4811019)
 * Thanks, Tom.
    Random folder name can be cracked by a brute-force attack. It should
   not take a lot of attempts.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Securing backup folder’ is closed to new replies.

 * ![](https://ps.w.org/backupwordpress/assets/icon-256x256.jpg?rev=1105225)
 * [BackUpWordPress](https://wordpress.org/plugins/backupwordpress/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/backupwordpress/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/backupwordpress/)
 * [Active Topics](https://wordpress.org/support/plugin/backupwordpress/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/backupwordpress/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/backupwordpress/reviews/)

 * 2 replies
 * 2 participants
 * Last reply from: [dinoframe](https://wordpress.org/support/users/dinoframe/)
 * Last activity: [12 years, 1 month ago](https://wordpress.org/support/topic/securing-backup-folder/#post-4811019)
 * Status: not resolved