Support » Plugin: UpdraftPlus WordPress Backup Plugin » Security Concerns

  • Resolved mywebmaestro

    (@mywebmaestro)


    I have the plugin installed on several websites, and I just noticed that while deleting old backups from the settings interface, the section labeled “Last log message:” was showing messages referencing backups from other websites that should not be visible from here. I have my backups stored in a common dropbox account that I use for the purpose, but one website shouldn’t be able to see or manipulate backups from another I would think.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author David Anderson

    (@davidanderson)

    Hi,

    Dropbox’s security model doesn’t even make it possible for one connected website not to be able to see the data from another website, unfortunately. More info: https://updraftplus.com/faqs/unlink-updraftplus-dropbox/ . If this is a concern for you, then you should switch to using a remote storage provider that makes that possible, e.g. UpdraftVault, Amazon S3.

    David

    mywebmaestro

    (@mywebmaestro)

    So the premium version would have the same issue? All sites would be accessible from any site?

    mywebmaestro

    (@mywebmaestro)

    I have my sites set to retain 2 backups, and to perform backups fortnightly. Now, I notice when I click “rescan remote storage” there’s a lot more than the 2 that show up. Though it started with 2 when I first went to the settings. One site now shows 87, going back almost daily for a while. However, there’s nothing to indicate whether these are for this site, or if it’s mixing in backups from other sites, and I’m not sure what to do here.

    Plugin Author David Anderson

    (@davidanderson)

    > So the premium version would have the same issue?

    Any version of anything you obtain anywhere that uses Dropbox is subject to Dropbox’s security model’s limitations, and this specifically means that if you have multiple installs of the app on different devices (in the case of UD, that means different websites), then each of those installs has full access to all data from all the installs. So, yes, the Premium version is subject to that too.

    The specific purpose of the “rescan remote storage” button is to import all backups in the same directory in remote storage. The Premium version would help you there; it allows use of sub-directories within Dropbox. You aren’t in any danger of accidentally restoring the wrong backup, as when you begin the restore stages it’ll show you the URL of the backup and also a warning in bold if it doesn’t match the current site.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.