Backups folder without security measures

Hi Samuel,
The plugin will create a .htaccess file inside the “aiowps_backups” directory. It appears that this operation has for some reason failed on your site.
I suggest for now that you manually create a .htaccess with the following contents and FTP it to the “aiowps_backups” directory:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(wp-admin/admin.php) [NC]
RewriteRule .* https://127.0.0.1 [L]
</IfModule>

The above will block all attempts at getting access to the files unless you are clicking on the backup file link in the admin panel.

Also in the meantime I have added a log statement in our code (which will be in the release) to alert us if/when the creation of the .htaccess fails.

Well, I can’t see any reason for the .htacces failed to create on the host (directory and backup files were created without problems).

But I’ll test on other sites and report back.

By the way, adding the possibility to set the backup path in the settings would be very appreciated.

Tested on another site and the same result. No .htacess was created in the backups directory.

First site is hosted on a shared hosting provider, so I don’t know very much about the server configuration. But the second one is hosted on a dedicated server that I manage and I’m sure there’s no problem with the server configuration.

No errors were found in the Apache logs.

Honestly I think you should check the code responsible for the .htaccess file. And take additional security measures like moving the folder to a protected dir like wp-content/ (no uploads!) and adding some random part to the backups folder name.

The actual behaviour can be a serious security flag.

I just performed another clean installation on a new site and the plugin correctly creates the .htaccess file automatically inside the backups directory.

I wonder if your server is for some reason not allowing the “file_put_contents” php function to execute correctly?

Can you please check the “error_log” files on your server by going to the following menu item of this plugin:
Filesystem Security then click the Host System Logs tab.

Then check if there are any logs related to the “file_put_contents” command.

Hi!

No errors related to “file_put_contents” or any other issue about creating files.

I don’t think that can be the problem, because the backup file and the backups folder are created without any problem. The only missing file is the .htaccess

It seems that the plugin simply never tries to create it… ??

Also file permissions tab are all green.

Let me know if I can do any other test for you.

We have made some changes in our new version that should fix this file creation issue hopefully. We should have a commit today or tomorrow.

Regarding the uploads folder question… why do you think that it is a security concern when we have a .htaccess file in that folder to prevent anyone from viewing anything inside the folder. The folder is not browse-able either (even without the .htaccess file). Also, the name of the file has a unique random prefix so no one can guess that either.

If the contents of the backup directory do not need to be accessed from HTTP, all you need is this in that corresponding .htaccess file:

deny from all

A referrer can easily be spoofed.

Ok thanks, I’ll test when you released it and report back.

Well, as you can see (at least at present) the .htaccess is not always created.

If you add to this that a lot of shared hostings has “indexes” enabled (really, a lot), and you put the folder in wp-content/uploads/ that has not any “index.php” file protecting from directory listing, and finally you used a fixed name for the backup folder.

So someone can simply create a script to run over WP sites with the path to backup (because they know the full path because of the fixed name) and find installations with indexes enabled and then grab all the files on it.

Maybe the best choice would be to add a new option to plugin settings allowing user to put the full path where they want to create the backup folder. (This adds the option to the user to choose even a path outsite of the public access).

Or if you don’t want that, at least adds some random part to the folder name and put it on wp-content (no uploads) that it’s protected from directory listing with an index.php file by WP core files.

Okies… we will move it to the wp-content folder.

Thank you very much! ??

The new version should take care of this.

I can confirm new version is working fine and creates all files, including .htaccess and blank index.html ??

Thank you!