feinstaub
Forum Replies Created
-
Thanks for the answer this was indeed a bit irritating. I changed it back to 4 stars, however you might be aware that the cloud thing need much more explanation in eaqsy words: What is this account, what really happens if I connect my website with this cloud? Is it able to edit data? Is it just reading data from external as everybody else can do … etc. pp. It is simply unclear what’s going on.
Forum: Reviews
In reply to: [All-in-One WP Migration and Backup] Security concernsI need to emphasize that what your plugin does seems to be a security issue.
If you really take security seriously you would not rewrite the .htaccess in the backup folder.
In the past I added a customized .htaccess prevent inganything from outside to access the folder. That worked a while pretty nicely (well the download did not work as you do not point to a FPT access but I can download the files via FTP manually and the fdolder is 100% save.
However magically it seems now that since a while the .htaccess is recreated and exchanged whenever I start a backup. So without notice the plugin decided on it’s own to completey rewrite an additional .htaccess, this is really weird. You don’t even give a warning.
Can you confirm that your plugin is modifying and overwriting existing .htacess codes? And moreover that you do not just modify a certain area, youi just remove the whole thing and rewrite it.
So if you really think that security is a concern for you please do not exchange existing .htaccess content, or at least modify that app with two versions:
a) only app access (with a order deny,allow deny from all at the beginning)
b) the current variant (for those who think accessing backups even is unlikely to be guessed isn’t an issue)
In my mind overwriting a .htaccess without notice is alone a servere security issue, the normal way to do this is to define an AREA where things gets modified, same as “#BEGIN WordPress / #END WordPress”.
But nobody who gives anything about security would never ever just exchange a .htaccess without warning or any information, as there is normally a reason why the .htaccess is modified. Isn’t it?
As a result I can only support what @georgelund wrote. You are taking security on the light side and you even do measures without reason to weaken security steps one did to protect his folders (as an example by modiyfing the .htaccess to protect it from non internal file access an use FTP access instead to download a copy (which you could do as well by the way)).
So if you really are concernd about security:
Stop overwriting .htaccess in the way as it is beeing done at the moment and if really required, only modify areas marked as such.