Web security is always a hot topic. Protecting your website is not a single action, but a process of continuous improvement.
Recently we told you more about the importance of finishing CMS installation in your hosting account. Now we would like to focus your attention to the threats posed by certain URLs such as http://moiatsite.com/backup.zip and http://moiatsite.com/old.
What are the most common backup mistakes?
There are two options in such cases:
- you are about to upload your website to a new hosting service;
- you have generated backup for a website that’s already active.
If you are about to upload your website to a new hosting account, you should first upload the archive via FTP. Then unzip it, e.g. via the File Manager in cPanel.
When a particular URL address is loaded, an index file such as index.html, index.php, etc. also runs by default. In case an index file is missing, a “Forbidden” message appears for all shared hosting and Managed VPS accounts and their content is not displayed.
However, if your archive name is very common such as site.zip, backup.zip, backup.tar.gz, archive.tar.gz, etc. its URL might be very easily guessed and publicly accessible. Thus malicious activities might occur.
So not only your website’s files, but also the database and emails might be harmed. If the backup contains a copy of the database and emails, third parties may access all the information.
As mentioned above, do have in mind that: if a directory that is publicly accessible contains a database export, it can be easily downloaded by third parties. Your competitors might easily acquire all your important information – passwords, customer base, purchase orders, personal or sensitive data, etc.
Rapid development of web technologies inevitably calls for change. You already have a new website and can’t wait to upload it. But you don’t feel like deleting the old one… On first thought moving the old website to an old / backup / archive directory seems like a great idea!
But this might happen to be very dangerous. Why?
Usually all your attention is drawn to supporting and updating your new website. Updating the old one is not a priority anymore. However, this poses security risks if you completely quit updating your old website. Since both of your websites are still accessible from one and the same hosting account, potential threats might even double.
Knowing that, we decided to share with you our best practices and a few tips from the support:
- First check if a backup is stored in the website’s main directory. If such exists, you should better save it locally to your PC and delete it from your account.
- In case you used to have an old website version and have completely changed its appearance and CMS, do not set a directory name such as archive / old / backup. It is only a name, but will present an opportunity for anyone to access the directory’s content. If you do not need this content, you would better delete it.
- Be cautious with storing backups. After generating a backup, immediately download it and save it to your PC.
- Use the cPanel backup option – when performing this action in cPanel, the files are stored in the /home directory of the hosting account. This directory is not publicly accessible and your backup is safe there.
- You can also request the last generated system backup from “Backup Manager by SuperHosting” menu in cPanel (our SuperTeam especially developed this one for our SuperCustomers).
- If you are using a backup plugin or module, carefully check where the files are stored and whether they are publicly accessible. After generating a backup, download it once again and save it to your PC.