WordPress backup files is an excellent way to ensure you can restore your website without any data loss. Making backups is a good practice, and I highly recommend to make copies of your website files and database periodically. In case of security breach, website defacing or other disasters these copies will save you a lot of time and maybe money. But sometimes these files may be the reason why your WordPress site got hacked. A few days ago I made a small researched to find out the threats caused by backup files.
WordPress backup plugins
There are a lot of different backup plugins for WordPress on the WordPress.org plugin repository. Also, there are many various premium plugins available outside. All these plugins have the same primary function, to make a backup of your precious data. Some of them offer simple backing up functions, some of them are more sophisticated and could provide more features to manage the backing up process. To do the research I need to pick up a target, right? So I picked up the most popular WordPress backup plugin that is available in WordPress plugin repository – UpdraftPlus WordPress Backup Plugin.
It has more than one million active instals and offers an extensive kit of functions. Beside making local backups, this plugin is capable of storing the backups to the external data storages like Dropbox, Google Drive, Amazon S3, Rackspace Cloud, DreamObjects, FTP, OpenStack Swift, Updraft Vault and email. The paid version also backs up to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV. Well, what a fantastic plugin!
But there’s a tiny problem. All these sophisticated methods data storing methods requires credentials to log on to those systems. Passwords, usernames, API keys and other information is also backed up on each backup file. And what would happen if someone, somehow could gain access to these backup files? I’ll show you (evil laugh!!!)…
Searching for vulnerable WordPress websites
To start looking for vulnerable WordPress websites we need to know what we are looking. It’s easy. You can install the UpdraftPlus WordPress Backup Plugin to see how it stores backup files locally. You’ll notice that all backup files split into several different archives to save separately database, plugins, themes and uploads. Also, you’ll see the structure of names given to WordPress backup files by the Updraft plugin.
backup_2018-03-15-1714_blablabla_7fa488f8b5ff-db.gz, this is the WordPress database backup archive file. Naming structure is easy to understand –
backup + year + month + day + time + site name or something + some hash + backed up data type + archive format.
Now we need just to pick up the first part of the file name, just to involve fewer variables, let’s say “backup_2018-03”. Now the main part, we are looking for WordPress archives that are accessible due to the free directory browsing. It means we are looking for directories which are accessible to anyone and whole Google search string (Google dork) looks like this –
intitle:"index of" backup_2018-02. Now we have a list of sites that are potentially vulnerable. And here’s an example of what you can find inside of one of the results – WordPress backup files generated by UpdraftPlus WordPress Backup Plugin.
Extracting the sensitive information and credentials
I have downloaded several files to make the proof and demonstrate what I meant by saying “WordPress backup files may endanger your website”. Let’s start with the database backup files. The database file is a goldmine for any hacker since database holds a lot of valuable information that could help to take over the control of the website. Now let’s look up one of the examples.
Now you can see this database dump has FTP credentials. These are used (attention!) by UpdraftPlus plugin itself. And these credentials make it possible to do with particular website anything I want to. I even don’t need to upload shell because I already can access all the files by FTP client program.
I can upload fantastic and lightweight database management tool – Adminer. A perfect tool as it gives you full database management in a single PHP file. Since I can read the database credentials from the wp-config.php file located in one of the back-ups I can change the password for any user and login into the WordPress as an administrator with the highest level permissions.
Now even scarier part of this. If there are more websites hosted on the same account, an attacker gains access to all of them and it means that one incorrectly stored WordPress backup file endangers other sites on the same account even if those websites are safe and protected from other type attacks.
First of all, I need to say that Updraft plugin doesn’t cause the data leakage itself. It could happen with backup files generated by any WordPress backup plugin. Anyway, this example guarantees 100% hack of any site that leaks its database backup with FTP credentials on it.
Problem is caused by directory listing (CWE-548). It’s recommended to disable directory listing which could cause more various threats related to sensitive data leakage. You can make it by adding a specific rule to the .htaccess file of your website:
There are more methods to protect backup files, and you can easily find information sources on the Internet. Also, you can check your site against the data leakage just by using Google search. You can try a search that will target only results from your website. Try to search for indexed directories, for file types like gz, db, sql, zip.
The only thing I am unclear about is why backup plugins can’t protect those directories that they use to store the backup files? Is it hard to put an index.html/index.php or .htaccess file? I guess not, but it looks like nobody cares…