Security concern regarding publicly accessible backup downloads
-
Hi team,
I noticed that backup archives generated by popular backup/staging plugins can remain directly downloadable via their URL, even if the filename contains a hash.
From my perspective, adding a hash to the filename does not provide real access control. If the URL becomes known, guessed, leaked through logs, browser history, cache files, or any other mechanism, the archive can still be downloaded directly. For a backup file that may contain the database, wp-config.php, customer data, API keys, and other sensitive information, this is a significant risk.
I would strongly recommend that backup downloads are not served as static files directly from the public web path. Instead, access to ZIP/archive files should be routed through a PHP endpoint that verifies whether the current user is authenticated and has sufficient WordPress admin capabilities, for example manage_options. If the check fails, the endpoint should return a 403 response.
A possible approach would be:
- Block direct public access to backup archive files via .htaccess, Nginx rules, or equivalent server configuration.
- Serve downloads only through a controlled PHP route inside WordPress.
- Before streaming the file, verify that the user is logged in, has admin privileges, and passes a nonce/security check.
- Return HTTP 403 for all unauthorized requests.
This would provide actual access control instead of relying mainly on non-guessable filenames.
This is also problematic in light of applicable EU and German IT security and data protection requirements, including Article 32 GDPR, the NIS2 Directive, the German BSI Act/IT Security Act framework, and sector-specific BSI guidance, all of which require risk-appropriate technical and organisational measures to protect confidentiality, integrity, availability and resilience; a mere hash-based protection mechanism is therefore not an adequate substitute for properly authenticated access control, encryption and secure backup management.
Best regards
You must be logged in to reply to this topic.
