One common problem that we notice on the majority of WordPress websites that we audit are the number backup and old revision files stored on the website. This is a security problem because typically such files can be downloaded by anyone, and the information stored in them could aid malicious hackers craft a successful hack attack as explained in this article.
What are Old Revision and WordPress Backup Files?
Old Revision Files
Not everyone has the commodity of a staging website. In such cases designers and administrators do troubleshooting and test changes on the live website. During such process it is of common practice to make a copy of files before editing them and renaming them with an old extension. For example before modifying wp-config.php, you make a copy of the file and rename it to wp-config.php.old, or wp-config.old, or wp-config.bak.
WordPress Backup Files
By default, the majority of the hosting providers store and WordPress plugins store the WordPress backup files on the website itself. Typically these backups are zip files and are stored in the /wp-content/uploads/ directory, or the plugin’s directory. Also, the filenames of these backup files are easy to guess or predict, using formats such as [websitename]_[yyyymmdd].zip, or backup_[websitename]_[yyyymmdd].zip.
What Information Do Old Revision and WordPress Backup Files Contain?
WordPress backup files contain a wealth of information, such as a copy of all the website files and the WordPress database. In the WordPress database you can find a list of all the users, their email addresses, their hashed passwords, sales records, possible account numbers and everything that is stored from the website. Therefore if for example you have an online store, or a membership website the malicious hackers can get hold of user account credentials (username and password) or possible finance and payment related records.
Old revision files can also contain a lot of information, but it all depends on which file it is. For example if it is a copy of the wp-config.php file, it will contain the database connection details and the WordPress authentication keys and salts. If it is a .htaccess or .htpasswd file it can also contain a wealth of information, including a list of IPs that are allowed to access the WordPress dashboard, or a list of usernames or passwords that are used for HTTP authentication.
How Can Attackers Download Old Revision and WordPress Backup Files?
Considering the filenames of WordPress backups and old revision files are very common and predictable, malicious hackers use tools such as Fuzzers to automatically send thousands of HTTP requests to your WordPress website requesting such type of files. Below are some example of such requests:
When the filename in the request sent by the Fuzzer is correct, the download is initiated and now the attacker can get hold of the information stored in that particular WordPress backup or old revision file. Note that this type of scanning activity generates a lot of HTTP 404 errors (requests to non-existing pages) so if you are using a plugin such as WP Activity Log you can easily detect such type of malicious activity and take the necessary action to thwart it.
Save WordPress Backup Files and Old Files Offsite
Identifying and downloading WordPress backups and old revision files is a very easy job. It does not require any technical skills so even non seasoned hackers can do such job. Therefore it is worth doing a bit of extra effort to save all your WordPress backups offsite and remove all old revision files. As a rule of thumb remove /uninstall every file, plugin, theme or any other object that is not being used by the website.
Tip: If you are looking for a reliable cloud based WordPress backup solution, that can store all WordPress backups in an offsite location, here at WP White Security we recommend and use BlogVault.