WordPress backups are the essential and reliable way to save your website data in case of its complete loss due to the hacking incident. There are dozens of WordPress plugins that will help you to make backups of your site files and database automatically. These plugins will do everything automatically, and you will not have to worry about your data. But in some cases, your efforts to protect website data could lead to sensitive data leakage and hacked site.
Unsafely stored WordPress backups
Recently we have tried some search queries on Google Advanced Search to look up for backup files generated by various WordPress backup plugins. We have succeeded, we have found a significant number of sites with backup data available to anyone due to free directory browsing. Quite simple Google dorks targeted to some specific file names, names of directories and text of data allowed us to find those indexed directories and WordPress backups in no time.
Later we have downloaded several database backups and analyzed the content by looking for sensitive information. Well, the results disappointed us way more than the fact that we managed to download these files without any restrictions. Despite standard data like user or client emails, we found the FTP credentials (host names, user names and passwords), Google drive app keys and more. And all this information was available in plain text on the backed up databases. How do you think of what a hacker can do with FTP access? Well, he can do everything he wants. FTP access makes it possible to upload to the server any file he wants, for example, shell or any other malware.
Usually, there is no need to put such information like FTP credentials or Google Drive keys to the database of the WordPress, but some of the backup plugins need them and store them in the same database which then they will backup for you. And storing such data to the database is not the problem, the main issue is how this data stored and protected from potential leakage. In this case, two factors cause sensitive data leakage. First one is an inadequate protection of files and directories on the server, open directory browsing poses a significant threat especially in cases like this. The second problem caused by WordPress backup plugin authors because their products do not provide any mechanism to protect the backup files from the unauthorized access.
Below you can see several screenshots that will make this case clear for you. We would suggest you double-check your website security measures just to make sure you’re not leaking any sensitive data. We have warned the owners of all sites that we were able to access and download confidential information in the form of WordPress database backups. So, at least several websites will be slightly safer after our short, simple yet important experiment.