Sensitive Data

WordPress backups pose significant security threats if stored insecurely

WordPress backups are the essential and reliable way to save your website data in case of its complete loss due to the hacking incident. There are dozens of WordPress plugins that will help you to make backups of your site files and database automatically. These plugins will do everything automatically, and you will not have to worry about your data. But in some cases, your efforts to protect website data could lead to sensitive data leakage and hacked site.

Unsafely stored WordPress backups

Recently we have tried some search queries on Google Advanced Search to look up for backup files generated by various WordPress backup plugins. We have succeeded, we have found a significant number of sites with backup data available to anyone due to free directory browsing. Quite simple Google dorks targeted to some specific file names, names of directories and text of data allowed us to find those indexed directories and WordPress backups in no time.

Later we have downloaded several database backups and analysed the content by looking for sensitive information. Well, the results disappointed us way more than the fact that we managed to download these files without any restrictions. Despite standard data like user or client emails, we found the FTP credentials (hostnames, usernames and passwords), Google drive app keys and more. And all this information was available in plain text on the backed up databases. How do you think of what a hacker can do with FTP access? Well, he can do everything he wants. FTP access makes it possible to upload to the server any file he wants, for example, shell or any other malware.

Usually, there is no need to put such information like FTP credentials or Google Drive keys to the database of the WordPress, but some of the backup plugins need them and store them in the same database which then they will back up for you. And storing such data to the database is not the problem, the main issue is how this data stored and protected from potential leakage. In this case, two factors cause sensitive data leakage. First one is an inadequate protection of files and directories on the server, open directory browsing poses a significant threat especially in cases like this. The second problem caused by WordPress backup plugin authors because their products do not provide any mechanism to protect the backup files from the unauthorised access.

Below you can see several screenshots that will make this case clear for you. We would suggest you double-check your website security measures just to make sure you’re not leaking any sensitive data. We have warned the owners of all sites that we were able to access and download confidential information in the form of WordPress database backups. So, at least several websites will be slightly safer after our short, simple yet meaningful experiment.

Google dork to find vulnerable websites

Google dork to find vulnerable websites

WordPress backups accessible by anyone

WordPress backups accessible by anyone

Updraftplus backup file of WordPress database with FTP credentials

Updraftplus backup file of WordPress database with FTP credentials

Successfully connected to the FTP with credentials found in database backup file

Successfully connected to the FTP with credentials found in database backup file

Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *