Security vulnerability | Wordpress Support | Forum Archive

The free forums are no longer in use. It remains available as read-only archive.

Avatar
sp_LogInOut Log In
Lost password?
sp_Search Search
Advanced Search
Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
sp_Search Search
Go to Bottom
The forums are currently locked and only available for read only access
sp_Feed Topic RSSsp_TopicIcon
Security vulnerability
May 4, 2011
1:05 am
Avatar
umstrategies
New Member
Members
Forum Posts: 2
Member Since:
May 3, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
1sp_Permalink sp_Print

I notice that Xcloner creates the database backup under site/administrator/backups/database-sql.sql

 

There is no .htaccess file created, and the filename is not unique, so anyone can simply point their browser to it and download all your Wordpress contents.

May 4, 2011
6:55 am
Avatar
Ovidiu Liuta
Admin
Forum Posts: 2484
Member Since:
September 26, 2010
sp_UserOfflineSmall Offline
sp_UserWebsite sp_Twitter sp_GooglePlus
Go to Top
2sp_Permalink sp_Print

The created file is always deleted when the backup is finished, but yes, for security reasons, the administrator/backups directory should always be protected!

 

Ovidiu

May 4, 2011
3:41 pm
Avatar
spadilla
Member
Members
Forum Posts: 12
Member Since:
September 30, 2010
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Could you please explain how best to protect that directory? Thanks 🙂

May 4, 2011
5:43 pm
Avatar
Ovidiu Liuta
Admin
Forum Posts: 2484
Member Since:
September 26, 2010
sp_UserOfflineSmall Offline
sp_UserWebsite sp_Twitter sp_GooglePlus
Go to Top
4sp_Permalink sp_Print

Best way would be to protect through htaccess, use an online htpasswd generator to generate the code.

 

Ovidiu

June 1, 2012
7:36 pm
Avatar
Tom2
Member
Members
Forum Posts: 12
Member Since:
April 30, 2011
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

I would suggest that XCloner either creates a bogus htaccess file itself or that backupfilenames are suffixed by some random letters/numbers

sp_Feed All RSS
Go to top
Forum Timezone: America/Chicago
Most Users Ever Online: 867
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
mlguru: 30
Django29: 29
Andy: 21
D: 21
Marcus: 20
Jamie F: 19
Member Stats:
Guest Posters: 738
Members: 10053
Moderators: 2
Admins: 3
Forum Stats:
Groups: 3
Forums: 7
Topics: 2397
Posts: 8236
Newest Members:
piotr K
Moderators: TriP: 0, Steve Burge: 0
Administrators: Ovidiu Liuta: 2484, Victor Drover: 1, Valentin Barbu: 0