Wordpress backup options- Good list and Updraft Plus vulnerability

Saw this in the WP newsletter, thought of sharing since the topic comes up occasionally.

https://wplift.com/best-wordpress-backup-plugins

They have not mentioned All In One WP Backup - my former preferred backup method. Interesting: reading the comments, looks like the article was originally published in 2016! Nice content refresh by these guys.

Also: Read about the Updraft Plus vulnerability
https://www.wordfence.com/blog/2022/02/vulnerability-in-updraftplus-allowed-subscribers-to-download-sensitive-backups

Comments

  • bikegremlinbikegremlin ModeratorOGContent Writer

    If the provider allows it, I prefer configuring backups independently from WordPress.
    That is, not having WordPress (try to) back itself up using yet another not really necessary plugin.

    Having said that, on several occasions I have used the All-in-One WP Migration plugin for cloning websites, not for making backups in the narrow sense of the word. It did the job fine.

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • Forcing upgrade to plugins..

    So WP also must have a kill switch somewhere

    BleepingComputer: WordPress force installs UpdraftPlus patch on 3 million sites.
    https://www.bleepingcomputer.com/news/security/wordpress-force-installs-updraftplus-patch-on-3-million-sites/

    Thanked by (2)bikegremlin Ympker
  • bikegremlinbikegremlin ModeratorOGContent Writer

    That's not good.
    Is there a way of preventing WordPress from doing stuff without approval?

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • YmpkerYmpker OGContent Writer

    @vyas said:
    Forcing upgrade to plugins..

    So WP also must have a kill switch somewhere

    BleepingComputer: WordPress force installs UpdraftPlus patch on 3 million sites.
    https://www.bleepingcomputer.com/news/security/wordpress-force-installs-updraftplus-patch-on-3-million-sites/

    That's crazy :O

  • @bikegremlin said:
    Is there a way of preventing WordPress from doing stuff without approval?

    The best way I know of is to chown -R wordpress:wordpress the WordPress files, where your PHP process runs as www-data, and to make sure that the directory and file permissions of the WordPress files do not allow writing from other users.

    However, this comes with another set of tradeoffs, such as managing symlinks for uploads and other files which the PHP process actually needs to write to, and finding a different method to apply updates to core and plugins. The tradeoffs are worth for me, but might be a problem in many other situations.

    Thanked by (2)bikegremlin vyas
  • bikegremlinbikegremlin ModeratorOGContent Writer

    Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?

    Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • YmpkerYmpker OGContent Writer

    @bikegremlin said:
    Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?

    Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.

    Also don't forget: If they can do it, it could also be potentially abused by hackers and the like. If there is some kind of "backdoor" for wp team, it only takes one account of a team member with sufficient permissions to be hacked and abused.

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @Ympker said:

    @bikegremlin said:
    Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?

    Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.

    Also don't forget: If they can do it, it could also be potentially abused by hackers and the like. If there is some kind of "backdoor" for wp team, it only takes one account of a team member with sufficient permissions to be hacked and abused.

    Exactly.

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • YmpkerYmpker OGContent Writer

    @bikegremlin said:

    @Ympker said:

    @bikegremlin said:
    Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?

    Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.

    Also don't forget: If they can do it, it could also be potentially abused by hackers and the like. If there is some kind of "backdoor" for wp team, it only takes one account of a team member with sufficient permissions to be hacked and abused.

    Exactly.

    Since WP is Open Source, kinda weird nobody noticed this "backdoor" before.

    Thanked by (1)bikegremlin
  • @Ympker said:

    @bikegremlin said:

    @Ympker said:

    @bikegremlin said:
    Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?

    Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.

    Also don't forget: If they can do it, it could also be potentially abused by hackers and the like. If there is some kind of "backdoor" for wp team, it only takes one account of a team member with sufficient permissions to be hacked and abused.

    Exactly.

    Since WP is Open Source, kinda weird nobody noticed this "backdoor" before.

    The idea of a backdoor or a kill switch is not cool.

    Thanked by (2)bikegremlin Ympker
  • bikegremlinbikegremlin ModeratorOGContent Writer

    @Ympker said:

    @bikegremlin said:

    @Ympker said:

    @bikegremlin said:
    Does this mean WP can also do other changes - like removing articles, and/or bringing the whole sites down if they decide it's the right thing to do?

    Not asking whether "they'd (never, sure) do that," but whether they can, whether they're in a position to do so.

    Also don't forget: If they can do it, it could also be potentially abused by hackers and the like. If there is some kind of "backdoor" for wp team, it only takes one account of a team member with sufficient permissions to be hacked and abused.

    Exactly.

    Since WP is Open Source, kinda weird nobody noticed this "backdoor" before.

    I asked on a WP for Business FB group about this.
    The consensus seems to be that they've done similar things before, "with good reasons," and that it's perfectly fine. Full support.

    I certainly had no idea until now that they (can) do that - which shows how stupid and short-sighted I am. :)

    Thanked by (1)Ympker

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

Sign In or Register to comment.