WP-DBManager’s vulnerability

I’ve been using WP-DBManager for quite a while now, and in short it’s a very good - if not the best - WordPress plugin to help you manage your database - with just one click, you can backup, restore, repair, optimize, and do other tasks. Essential plugin, really.

But today I noticed this DANGEROUS thing, and I want to announce it so that everybody can fix. By default, sql dumb data are saved into files under a directory named backup-db inside wp-content. And this directory has absolutely no protection. That means you can freely browse anyone’s wp-content/backup-db/ content and download the data file.

Now, I did a search of “index of /wp-content/backup-db” on Google. From the popularity of WordPress and this plugin, you can tell how many results I got. Yes, thousands of results were returned, each was a browsable and downloadable backup directory among thousands of different WordPress-powered websites.

Need I stress on how serious this problem is? It’s about passwords (encrypted or not), email addresses, other private data, even credit card numbers for business blogs. This is serious.

The fixes

There are many fixes for this problem. You can

  • Change the backup directory, or
  • Upload a index.html file into backup-db directory to prevent directory browsing, or
  • Use .htaccess to prohibit downloading contents from the directory etc.

For the sake of WordPress users, please spread this. I’ve also contacted Lester Chan, the author of the plugin, so that he can release a fix.


It seems I missed the instruction from the author before installing the plugin :)
But anyway, I believe most of WP users just install the plugins without reading, especially when they just work out of the box. And as the downloadable sql dumps are still out there, I’m waiting for a more strict fix instead of readme file’s instruction.

UPDATE: Starting from version 2.50, the plugin author added a check for a proper .htaccess file in the backup folder for security purpose. Way to go!

  • I’d completely forgotton about directory browsing in general; thanks for the reminder - I’ve just gone on an uploading-index-files spree. :)


  • Not to worry, your situation is not unique. I find a heck of a lot of WP users go installing plugins “willie nillie” without ever reading the file called “readme.txt” or the like which normally contains important (specifically security) do’s and don’ts for individual plugins.

    It is great that you wanted to help others out for sure, but i think you will find most people are pretty carefull about the plugins they install and how they are installed.

    Great post!


  • Quite dangerous isn’t it?
    Luckily I don’t use that plugin and I think it’s better to backup our DB manually

  • Wow, I will make a empty file now.

    Thanks for sharing :)

  • Just so happen to check out who is linking my blog and stumbled upon here. I am going to add in a check to ensure that the .htaccess file is in the backup folder. If it does not, it will appear a notice on the plugin top and instructions how to fix it.

  • Thank you for this.  New to WordPress, love this plug in, must learn about the other vulnerabilities with the other plug ins!

You can follow any responses to this entry through the RSS 2.0 feed.

Trackbacks / Pingbacks