Wordpress backup options- Good list and Updraft Plus vulnerability
Saw this in the WP newsletter, thought of sharing since the topic comes up occasionally.
https://wplift.com/best-wordpress-backup-plugins
They have not mentioned All In One WP Backup - my former preferred backup method. Interesting: reading the comments, looks like the article was originally published in 2016! Nice content refresh by these guys.
Also: Read about the Updraft Plus vulnerability
https://www.wordfence.com/blog/2022/02/vulnerability-in-updraftplus-allowed-subscribers-to-download-sensitive-backups
Tagged:
Comments
If the provider allows it, I prefer configuring backups independently from WordPress.
That is, not having WordPress (try to) back itself up using yet another not really necessary plugin.
Having said that, on several occasions I have used the All-in-One WP Migration plugin for cloning websites, not for making backups in the narrow sense of the word. It did the job fine.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Forcing upgrade to plugins..
So WP also must have a kill switch somewhere
BleepingComputer: WordPress force installs UpdraftPlus patch on 3 million sites.
https://www.bleepingcomputer.com/news/security/wordpress-force-installs-updraftplus-patch-on-3-million-sites/
blog | exploring visually |
That's not good.
Is there a way of preventing WordPress from doing stuff without approval?
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
That's crazy :O
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
The best way I know of is to
chown -R wordpress:wordpress
the WordPress files, where your PHP process runs aswww-data
, and to make sure that the directory and file permissions of the WordPress files do not allow writing from other users.However, this comes with another set of tradeoffs, such as managing symlinks for uploads and other files which the PHP process actually needs to write to, and finding a different method to apply updates to core and plugins. The tradeoffs are worth for me, but might be a problem in many other situations.
Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?
Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Also don't forget: If they can do it, it could also be potentially abused by hackers and the like. If there is some kind of "backdoor" for wp team, it only takes one account of a team member with sufficient permissions to be hacked and abused.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Exactly.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Since WP is Open Source, kinda weird nobody noticed this "backdoor" before.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
The idea of a backdoor or a kill switch is not cool.
blog | exploring visually |
I asked on a WP for Business FB group about this.
The consensus seems to be that they've done similar things before, "with good reasons," and that it's perfectly fine. Full support.
I certainly had no idea until now that they (can) do that - which shows how stupid and short-sighted I am.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews