WP-DB-Backup Leaves Your Data Exposed on the Internet

December 14, 2008 – 9:39 AM

Older versions of the popular WordPress plugin WP-DP-Backup leaves the copy of your entire database in a public folder for all to see.  The databases were stored in wp-content/backup/ and a quick Google search today still returns many databases of sites, including some as recent as a few days ago:

http://www.google.com/search?num=100&hl=en&suggon=0&safe=off&q=intitle%3A%22index+of+%2Fwp-content%2Fbackup%22&btnG=Search

For those of you that still do not get the danger involved with this, this is the backup file for your entire website, in plaintext.  This gives people your Administrator username and the MD5 hash of the password.  This MD5 hash can easily be run through any cracker and can be revealed in a matter of seconds, minutes, days. etc.  This would allow somebody malicious to login to your site as the Admin account and have complete control over it.

According to the new developer of the plugin, the code has been fixed “about 3 years ago” and no longer uses a non-random directory to store them.  But….I think I’ll stick to my method of database backups and run the backup manually via phpMyAdmin and copy them down locally into an encrypted folder.  I’m not a big fan of leaving copies of my database lying around for all to find.  Even if they are now supposedly stored in harder to find places.

Note: This is for older versions of WordPress where the passwords were stored as a basic MD5 hash.  Newer versions are salted and are less crackable.  Just make sure that you update your WordPress-powered site regularly.  This goes for both the WordPress core files and all of your plugins.

You must be logged in to post a comment.