Support

Akeeba Backup for WordPress

#19931 – config.json is readble

Posted in ‘Akeeba Backup for WordPress’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Monday, 28 April 2014 13:40 CDT
parisi
We have detected that your Akeeba Backup for WordPress configuration file is readable over the web using the URL http://www.COMPAN.com/wp-content/plugins/akeebabackupwp/app//Solo/assets/private/config.json. This can present a very grave security risk. We strongly advise you to follow our documentation instructions to secure the directory containing this file.

Where can I find this documentation?

Thanks,
Paul.

Custom Fields

WordPress version (in x.y.z format) 3.9
Which troubleshooter articles did you read? Read the manual
Have you searched the tickets before posting? Yes
Which documentation pages did you read? None
PHP version (in x.y.z format) 5.4
MySQL/database version  
Host (who is hosting your site, not your domain)  
Akeeba Backup version (x.y.z format) Beta
Kickstart version (x.y.z format)  

Paul D Parisi

Tuesday, 29 April 2014 01:19 CDT
nicholas
Hello Paul,

It is talking about this page: https://www.akeebabackup.com/documentation/akeeba-solo/protection-by-htaccess.html However this doesn't apply very well to WordPress, so we're currently reworking the way Akeeba Backup for WordPress stores its configuration. In the stable version you won't have to do anything at all to protect your Akeeba Backup for WordPress configuration.


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Tuesday, 29 April 2014 09:08 CDT
parisi
Do you have a suggestion on how to remedy this now?

Paul D Parisi

Tuesday, 29 April 2014 11:26 CDT
nicholas
You can create a .htaccess file in the wp-content/plugins/plugins/akeebabackupwp/helpers/private/config.php with the following content
order deny,allow
deny from all
allow from none


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Wednesday, 30 April 2014 16:08 CDT
parisi
Thanks - I just went to add the .htaccess file as you mention but one is already there and it has your suggested content in it.

Is this strange? If it is there shouldn't the check come back ok?

Paul D Parisi

Thursday, 01 May 2014 01:07 CDT
nicholas
No, it's not strange. There are a few explanations as to why this didn't work:
  • Your host is not using Apache or another web server which supports .htaccess files.
  • Your host is using Apache or another web server which supports .htaccess files but has turned off .htaccess support for your account (or even the entire server).


In both cases the .htaccess files are silently ignored. This is why we worked on an improved solution that uses .php files to store the configuration data. Even if you try to access them directly they will divulge no information. So, the only thing you can do is wait a couple more days for us to prepare the new stable release.

BTW: Your site is at no risk, despite the warning. Akeeba Backup for WordPress doesn't store passwords in that JSON file (or at least: it shouldn't!). However it shares most of its code with Akeeba Solo (standalone) which does store passwords in that file. The warning should only be shown in Akeeba Solo, not Akeeba Backup for WordPress. Well... there were a few good reasons we labelled that release as "beta" :)


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!