Support

Akeeba Backup for WordPress

#19931 config.json is readble

Posted in ‘Akeeba Backup for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
n/a
PHP version
n/a
Akeeba Backup version
n/a

parisi
We have detected that your Akeeba Backup for WordPress configuration file is readable over the web using the URL http://www.COMPAN.com/wp-content/plugins/akeebabackupwp/app//Solo/assets/private/config.json. This can present a very grave security risk. We strongly advise you to follow our documentation instructions to secure the directory containing this file.

Where can I find this documentation?

Thanks,
Paul.

Paul D Parisi

nicholas
Akeeba Staff
Manager
Hello Paul,

It is talking about this page: https://www.akeebabackup.com/documentation/akeeba-solo/protection-by-htaccess.html However this doesn't apply very well to WordPress, so we're currently reworking the way Akeeba Backup for WordPress stores its configuration. In the stable version you won't have to do anything at all to protect your Akeeba Backup for WordPress configuration.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

parisi
Do you have a suggestion on how to remedy this now?

Paul D Parisi

nicholas
Akeeba Staff
Manager
You can create a .htaccess file in the wp-content/plugins/plugins/akeebabackupwp/helpers/private/config.php with the following content
order deny,allow
deny from all
allow from none

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

parisi
Thanks - I just went to add the .htaccess file as you mention but one is already there and it has your suggested content in it.

Is this strange? If it is there shouldn't the check come back ok?

Paul D Parisi

nicholas
Akeeba Staff
Manager
No, it's not strange. There are a few explanations as to why this didn't work:
  • Your host is not using Apache or another web server which supports .htaccess files.
  • Your host is using Apache or another web server which supports .htaccess files but has turned off .htaccess support for your account (or even the entire server).


In both cases the .htaccess files are silently ignored. This is why we worked on an improved solution that uses .php files to store the configuration data. Even if you try to access them directly they will divulge no information. So, the only thing you can do is wait a couple more days for us to prepare the new stable release.

BTW: Your site is at no risk, despite the warning. Akeeba Backup for WordPress doesn't store passwords in that JSON file (or at least: it shouldn't!). However it shares most of its code with Akeeba Solo (standalone) which does store passwords in that file. The warning should only be shown in Akeeba Solo, not Akeeba Backup for WordPress. Well... there were a few good reasons we labelled that release as "beta" :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.