This documentation page does not apply to our software versions for Joomla! 4.0 and later versions. If you are not using Joomla 3 please consult the documentation index to find and read the correct version of the documentation.
By default the component uses a non secure location to store its
backup files and temporary files, within your site's file system
location is well known and can be - theoretically - accessed directly
from a web browser. Since the backup output directory stores the
results of your backup attempts, that is SQL files containing database
backups and archive files containing all of your site, a malicious
person with access to this location could steal sensitive information
or compromise your site's integrity.
The first line of defense, is to use mangled, hard to guess, names for the SQL backup. However, it wouldn't take an attacker that long to figure out the filename. Remember: security through obscurity is no security at all!
As a second line of defense, we include a secure
.htaccess on the default backup output directory
to disable direct web access. However, this is only possible on
Apache-powered web servers which allow the use of
.htaccess files. You should check with your host
to ensure that this kind of protection is possible on your
However, this is not enough. Using a well known location would allow an attacker exploiting a security issue in a third party component to gain access to the backup archives. The only way around that is using a different directory, ideally one above your site's root.