Q203 - Default output directory in use


Your backup will work properly despite this warning

You got to this page because Akeeba Backup / Akeeba Solo (collectively referred to as Akeeba Backup in this page) has established that you are using the default backup output directory. Since this can be a security issue for a stark minority of servers, Akeeba Backup is taking some measures to mitigate any security impact. These can be annoying to some of our users, hence the existence of this page.

Do note that your backup will work properly even if you do nothing to make this warning disappear. Using the default directory is not an operational issue, it's a friendly security paranoia tip.

Quick solution

  1. Use your hosting control panel's file manager or your favorite FTP / SFTP client software to create a new folder on your site.

  2. Go to Akeeba Backup's control panel page.

  3. Select the backup profile from the drop-down.

  4. Click on the Configure button.

  5. Towards the top of the page you will find the Output Directory setting. Click the Browse... button next to it and navigate into the folder you created in the first step. Then click on the Use button.

  6. Finally, click on Save & Close to save your changes and go back to the Akeeba Backup control panel.

Repeat steps 3 to 6 for all of your backup profiles.

Notes about the proposed solution

If possible, create a folder one directory level above your site's root. That is to say, if your site's web root is public_html create a folder e.g. named my_backups next to it, not inside it.

DO NOT use an existing folder of your site as your backup output directory. The files and folders under the backup output directory are forcibly excluded from the backup. Therefore, using an existing folder of your site would render your backup partial and possibly unusable.

Some servers may not allow you to select a backup output directory above the site's root in step 5. If this is the case, create a new directory inside your site's root.

Some servers will complain that the directory you created is unwriteable. In this case give it 0777 permissions. In the context of the server environment where this error would be presented the 0777 permissions in the backup output directory are equivalent to what your site is already doing to be operational and allow itself to be updated.

We strongly recommend against running sites on servers exhibiting either of these latter two problems for security reasons.

What's in the backup directory and why should I care?

The output directory files holds database dumps (.sql files), while the database dump step is running and a "memory" file, which allows Akeeba Backup / Akeeba Solo to span the backup process between multiple steps without timing out. They are deleted upon proceeding to the next step, if the process ends with catchable errors or when a new backup is started (if the previous backup attempt failed). If the backup fails with a PHP fatal error, these files remain in place. A malicious user with access to those files could steal proprietary / restricted information and/or security data by examining these files.

Moreover, the backup output directory contains backup archives. Some of them are complete archives, some of them could be incomplete (because the backup process failed at some point). Any backup file contains all of your site, including database contents and database connection information. A malicious user with access to those files could do everything and, what's more, produce an exact clone of your site to a server of his liking in order to explore new ways to attack your live server.

Why is using the default directories bad?

As said, a malicious user must have access to the temporary / backup files in order to exploit their contents. The default directory assigned to the backup output directory setting are in a well known, browser accessible location. This opens a potential attack vector, unless you take action.

How can I protect myself?

Akeeba Backup and Akeeba Solo place a .htaccess (for Apache servers) and web.config (for IIS 7 and later servers) to the backup output directory which disallows direct browser access. This has some shortcomings, as not all web servers support using these files, for example NginX, or some hosts choose to allow .htaccess / web.config only for some specific folders or even none at all. In these cases, you are not protected at all and you should contact your host for restricting access to this directory.

When it comes to the default backup output directory, since it's a well-known location it is very likely to be probed by malicious users attacking your site. If for any reason the .htaccess / web.config protection does not apply it would be fairly easy for an attacker to figure out the names of your backup archives, especially if you are using the default backup archive naming pattern. This would let them download your backups which gives them an exact copy of your site! For this reason Akeeba Backup will ALWAYS add 16 random characters at the end of the backup archive name, making guessing it a few billion times harder — making guessing practically impossible. Likewise, if you use a backup output directory which Akeeba Backup detects is accessible over the web it will forcibly add these 16 random characters at the end of the backup archive name to prevent anyone from guessing the backup archive's name.