Sensitive Data

WordPress backups pose significant security threats if stored insecurely

WordPress backups are the essential and reliable way to save your website data in case of its complete loss due to the hacking incident. There are dozens of WordPress plugins that will help you to make backups of your site files and database automatically. These plugins will do everything automatically, and you will not have to worry about your data. But in some cases, your efforts to protect website data could lead to sensitive data leakage and hacked site.

Unsafely stored WordPress backups

Recently we have tried some search queries on Google Advanced Search to look up for backup files generated by various WordPress backup plugins. We have succeeded, we have found a significant number of sites with backup data available to anyone due to free directory browsing. Quite simple Google dorks targeted to some specific file names, names of directories and text of data allowed us to find those indexed directories and WordPress backups in no time.

Later we have downloaded several database backups and analysed the content by looking for sensitive information. Well, the results disappointed us way more than the fact that we managed to download these files without any restrictions. Despite standard data like user or client emails, we found the FTP credentials (hostnames, usernames and passwords), Google drive app keys and more. And all this information was available in plain text on the backed up databases. How do you think of what a hacker can do with FTP access? Well, he can do everything he wants. FTP access makes it possible to upload to the server any file he wants, for example, shell or any other malware.

Usually, there is no need to put such information like FTP credentials or Google Drive keys to the database of the WordPress, but some of the backup plugins need them and store them in the same database which then they will back up for you. And storing such data to the database is not the problem, the main issue is how this data stored and protected from potential leakage. In this case, two factors cause sensitive data leakage. First one is an inadequate protection of files and directories on the server, open directory browsing poses a significant threat especially in cases like this. The second problem caused by WordPress backup plugin authors because their products do not provide any mechanism to protect the backup files from the unauthorised access.

Below you can see several screenshots that will make this case clear for you. We would suggest you double-check your website security measures just to make sure you’re not leaking any sensitive data. We have warned the owners of all sites that we were able to access and download confidential information in the form of WordPress database backups. So, at least several websites will be slightly safer after our short, simple yet meaningful experiment.

Google dork to find vulnerable websites

Google dork to find vulnerable websites

WordPress backups accessible by anyone

WordPress backups accessible by anyone

Updraftplus backup file of WordPress database with FTP credentials

Updraftplus backup file of WordPress database with FTP credentials

Successfully connected to the FTP with credentials found in database backup file

Successfully connected to the FTP with credentials found in database backup file

Darius S.

Similar Posts

ThreatPress API keys

Free WordPress Vulnerability Database API

Recently, we received a few queries related to our services, specifically for WordPress Vulnerability Database. So to make it clear we ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

Leave a Reply

Your email address will not be published. Required fields are marked *