But today I noticed this DANGEROUS thing, and I want to announce it so that everybody can fix. By default, sql dumb data are saved into files under a directory named backup-db inside wp-content. And this directory has absolutely no protection. That means you can freely browse anyone’s wp-content/backup-db/ content and download the data file.

Now, I did a search of “index of /wp-content/backup-db” on Google. From the popularity of WordPress and this plugin, you can tell how many results I got. Yes, thousands of results were returned, each was a browsable and downloadable backup directory among thousands of different WordPress-powered websites.

Need I stress on how serious this problem is? It’s about passwords (encrypted or not), email addresses, other private data, even credit card numbers for business blogs. This is serious.

The fixes

There are many fixes for this problem. You can

• Change the backup directory, or
• Upload a index.html file into backup-db directory to prevent directory browsing, or
• Use .htaccess to prohibit downloading contents from the directory etc.

For the sake of WordPress users, please spread this. I’ve also contacted Lester Chan, the author of the plugin, so that he can release a fix.

Updates

It seems I missed the instruction from the author before installing the plugin
But anyway, I believe most of WP users just install the plugins without reading, especially when they just work out of the box. And as the downloadable sql dumps are still out there, I’m waiting for a more strict fix instead of readme file’s instruction.

UPDATE: Starting from version 2.50, the plugin author added a check for a proper .htaccess file in the backup folder for security purpose. Way to go!