Support » Plugin: WordPress Backup to Dropbox » Security Implications when using wpb2d

  • Resolved object81

    (@object81)


    After using this plugin for a while I today discovered that it makes a SQL dump and places this in wp-content/backups/wordpress_SITENAME-backup-core.sql.

    This SQL dump can be downloaded by anyone. I’m actually not sure if the server or the plugin somehow is misconfigured or this is a default behaviour of wpb2d.

    I disabled the plugin until I know what happens here.

    http://wordpress.org/extend/plugins/wordpress-backup-to-dropbox/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Michael De Wildt

    (@michaeldewildt)

    Gday,

    The SQL removed when the backup completes so there is only a small window to guess your site name and grab the file.

    If you have .htaccess enabled on your server then you can add one to the backups directory containing ‘deny from all’.

    This will make it impossible for users to download the SQL dump. The plugin used to write this file but I had to remove the feature because it was causing other issues.

    Hmm, security by obscurity is probably the best option here and I will make some changes for the next release.

    Cheers,
    Mikey

    Thank you!

    Will look into htaccess change and look forward for your next release. Nice work!

    Plugin Author Michael De Wildt

    (@michaeldewildt)

    Version 1.5 now appends a SHA1 secret to these files making it impossible to guess.

    Cheers,
    Mikey

    this is not resolved beacause it is writen to log file which is very easy to read:
    Uploading large file 'blog-backup-core.sql.SHA1-wpb2d-secret' (xMB) in chunks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security Implications when using wpb2d’ is closed to new replies.