Q203 - Default output directory in use


Your backup will work properly despite this warning

You got to this page because Akeeba Backup / Akeeba Solo detected that you are using the default backup output and / or temporary directories. This page will inform you on the potential pitfalls and security concerns of the default configuration, as well as how to secure your installation.

Do note that your backup will work properly even if you do nothing to make this warning disappear. Using the default directory is not an operational issue, it's a friendly security paranoia tip.

What's in the backup directory and why should I care?

The output directory files holds database dumps (.sql files), while the database dump step is running and a "memory" file, which allows Akeeba Backup / Akeeba Solo to span the backup process between multiple steps without timing out. They are deleted upon proceeding to the next step, if the process ends with catchable errors or when a new backup is started (if the previous backup attempt failed). If the backup fails with a PHP fatal error, these files remain in place. A malicious user with access to those files could steal proprietary / restricted information and/or security data by examining these files.

Moreover, the backup output directory contains backup archives. Some of them are complete archives, some of them could be incomplete (because the backup process failed at some point). Any backup file contains all of your site, including database contents and database connection information. A malicious user with access to those files could do everything and, what's more, produce an exact clone of your site to a server of his liking in order to explore new ways to attack your live server.

Why is using the default directories bad?

As said, a malicious user must have access to the temporary / backup files in order to exploit their contents. The default directory assigned to the backup output directory setting are in a well known, browser accessible location. This opens a potential attack vector, unless you take action.

How can I protect myself?

Akeeba Backup and Akeeba Solo include a .htaccess (for Apache servers) and web.config (for IIS 7 and later servers) for the default backup output directory which disallows direct browser access. This has some shortcomings, as not all web servers support using these files, for example NginX, or some hosts choose to allow .htaccess / web.config only for some specific folders or even none at all. In these cases, you are not protected at all and you should contact your host for restricting access to this directory.

Alternatively, you can use a directory above your server's root, effectively not allowing anyone access it from a web browser. The downside is that if you are restricted by open_basedir restrictions and / or PHP Safe Mode settings you might not be able to use it to backup your site. If you are obliged to use a folder under your web server's root you are strongly advised to disallow direct web access to this directory. If your server supports .htaccess files this can be easily accomplished by creating an .htaccess file on your backup output and temporary directories with the following contents:

<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
<IfModule mod_authz_core.c>
Require all denied