WordPress migration backup publicly accessible
Description
A publicly accessible WordPress migration or backup directory was detected on the web server. Backup plugins such as All-in-One WP Migration, UpdraftPlus, Duplicator, and BackupBuddy store full-site backup archives (e.g. .wpress, .zip) under predictable paths inside wp-content/. When these directories are reachable without authentication, an attacker can download a complete snapshot of the WordPress installation, including the database, wp-config.php credentials, uploaded files, themes, and plugins.
Remediation
Take the following steps immediately:
1. Restrict directory access: Block web access to backup directories using server configuration.
For Apache, add to .htaccess:
<DirectoryMatch "wp-content/(ai1wm-backups|updraft|backups-dup-lite|uploads/backupbuddy_backups)">
Require all denied
</DirectoryMatch> For Nginx: location ~* /wp-content/(ai1wm-backups|updraft|backups-dup-lite|uploads/backupbuddy_backups)/ {
deny all;
return 404;
} 2. Delete exposed backups: Remove any backup files currently accessible from the web root and move future backups to a location outside the document root or to remote storage (S3, Google Drive, etc.).
3. Rotate credentials: If the backup was accessible, assume
wp-config.php credentials are compromised — rotate the database password and regenerate WordPress secret keys and salts.4. Configure the plugin: Use the backup plugin's settings to store backups off-server (cloud storage) and disable local storage if possible.