On Storing Backups of Your Joomla Website in the Wrong Place

2 out of 3 times when we fix a hacked Joomla website, we discover that a backup of that Joomla website is either located in the root directory of the website, or worse, under a backup folder, which is, in its turn, located under the root directory. Some websites make it very easy for the hackers by having a backup.zip file located under the root directory!

Let’s be very clear about it, storing backups in a web accessible location, regardless of any protective strategies and name obfuscation you may use, is a wrong strategy. Let’s explain how:

  • If you store the backup file under the root directory of your website, then all the hacker has to do is to run a script to check whether a file named *backup*.zip exists on your server. It can be a lengthy process but eventually if there is a file then he’ll find it. Oh, and by the way, the first file that his script will search for is backup.zip.
  • If you store the backup file under a folder called backup, then it’s the same problem as above. However, if you don’t have directory listing disabled on your Joomla website, then it’s even worse, as one can just go to http://www.yourjoomlawebsite.com/backup and see (and of course download) all the files you have in your backup directory.

  • If you store the backup folder in any public location on your website, and then you visit the location of your public backup folder from your web browser, then pay attention that some web browsers can send this information for search engines for indexing – which means that your backup file may show up indexed on your website. So, if someone searches for yourjoomlawebsite backup he might get that zip file in the first row of the search results. Not good!

But what can someone do with a backup of your website? Well, for starters, he might have access to files that only registered (or paid) members have access to. Also, he’ll be able to know the name of your database, the name of the user with read and write access to your database, his password, and the host hosting the database. He’ll be also able to know which modules you have on your website, and which of those are vulnerable. And let’s just say that whoever downloads your backup file without your authorization is not doing this with the best of intentions.

So where and how should you store your backups?

Well, there are several ways for storing backups:

  • Store backups in a directory that is not accessible by the web server: We believe that this is the best strategy as it is the most secure. This means that your backups cannot and will never be accessible by visitors to your website.
  • Store backups in a directory under the root directory of your website but protect them by an .htaccess file: A simple deny from all at the beginning of the .htaccess file means that no visitor to your website will have access to your backup directory directly – but Apache will still have access. Which means that if there’s a vulnerability on your website, then someone might be able to download your backup by exploiting that vulnerability.

  • Store backups in a directory under the root directory of your website but protect them with an .htpasswd file: This consists of adding an .htpasswd file to the backup directory which means that anyone accessing that directory will be required to enter the right password. Note that this has the same vulnerability as above, since Apache will have access to that directory, regardless of whether it’s protected or not.

We recommend that you go with the first option to store your backups since we believe that backups should never exist under a location that is web accessible.

Now if you need help backing up your Joomla website, or if you need any help with your Joomla website, then why not contact us? We’ve been working on Joomla for many years now, we’re very friendly to work with, and it won’t cost you a fortune working with us!

No comments yet.

Leave a comment