I don't understand why I'm getting a warning that this Snapshot file is public.

I'm getting the following notice as I try to install Snapshot: "Default folder is snapshot. If you change the folder name the previous snapshot files will be moved to the new folder.
Current folder /home/[moderated]/public_html/wp-content/uploads/snapshots/
Warning: Your Snapshot folder is publicly accessible. Please make sure you DO NOT use the default "snapshot" location. Although we attempt to disallow directory listing and are obscuring your backup names, having this folder public opens it up for exploitation. You may need to consult your hosting provider to move this folder outside of your website folder. Example path:disappointed:home/[moderated]/snapshots."

I don't understand this because /home/[moderated]/public_html/wp-content/uploads/snapshots/ doesn't seem like a public folder.

  • ken_edelstein

    Oh, here's the data Snapshot suggested I include with any support request:

    WordPress Version 4.5.2
    PHP Version 5.6.22
    MySQL Version 5.6.28
    Is Multisite Yes, Number of Sites: 6
    WP_CRON Snapshot uses WP_CRON to run automated backups. If you have disabled WP_CRON via your wp-config.php you will not be able to schedule snapshots.
    WP_CRON Enabled.
    WP_CRON Lock timeout: 60
    Folder Permissions Writable (0755) – /wp-content/uploads/snapshots
    Writable (0755) – /wp-content/uploads/snapshots/_backup
    Writable (0755) – /wp-content/uploads/snapshots/_locks
    Writable (0755) – /wp-content/uploads/snapshots/_logs
    Writable (0755) – /wp-content/uploads/snapshots/_restore
    OpenSSL The OpenSSL Apache module is require to make secure connections with destinations like Dropbox and Amazon AWS.
    OpenSSL installed
    cURL cURL is used when connecting to remote destinations like Dropbox and Amazon AWS.
    cURL installed
    Version: 7.30.0
    SSL Version: OpenSSL/1.0.2h
    Libz Version: 1.2.3
    Protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, pop3, pop3s, rtsp, smtp, smtps, telnet, tftp
    PHP runtime information
    Display Errors 1
    Error Reporting 4983 - E_ERROR, E_WARNING
    Magic Quotes Off
    Max Execution Time (seconds) Off The value displayed can be adjusted by Snapshot PHP scripts.
    Memory Limit 512M - WP_MEMORY_LIMIT defined by WordPress wp-config.php.
    256M - WP_MAX_MEMORY_LIMIT defined automatically by WordPress
    Open Basedir Off
    Safe Mode Off
    ZLib Compression Off

  • Sajid

    Hi ken_edelstein,
    Hope you are doing good today :slight_smile:

    First of all never post the full address of your website on public forums like this. I have moderated teh original reply and removed the folder name from it.

    I can see the snapshot folder plus uploads folder is publicly accessible. So any one with internet connection can go here & here and download the files without any restrictions.

    It is strongly recommended to disallow the directories. If you are not exactly sure then immediate contact your host to fix this issue as per suggestions provided by Snapshot.

    Hope that helps! Feel free to post a reply if you need further assistance :slight_smile:

    Best Regards,
    Sajid

  • ken_edelstein

    While I appreciate you alerting me to the publicly facing folder problem, that won't really solve the larger problem. I didn't follow Snapshot's warning on the vulnerability of those folder BECAUSE I was directing Snapshot to backup to my Dropbox instead. Unfortunately, Snapshot instructions are quite unclear on this point, and Snapshot failed to save to Dropbox. Instead Snapshot exposed my folders to the public!

    I am working to get the public exposure of my folders created by your plugin resolved. But could you kindly read my original ticket, and help me with that issue, i.e. Snapshot did not properly save to Dropbox!

  • Sajid

    Hi ken_edelstein,
    Hope you are doing good today :slight_smile:

    Weird, we have not reported this issue before with snapshot plugin. Actually it should not do it on its own. Could you please share exact steps when exactly its made your uploads/ folder public ? This will help me replicate this issue on my own site and help developer to fix it if I could replicate in on my site.

    As mentioned above, this is a hosting thing and I have not disabled directory browsing persnoally but I found a thread on stackoverflow that suggested to create an empty .htaccess file, add following code in it and upload that file in the uploads folder.
    Options -Indexes

    If you are still unable to disable directory listing then please contact your host and ask them to disable it. Its a one minute job for them.

    But could you kindly read my original ticket, and help me with that issue, i.e. Snapshot did not properly save to Dropbox!

    I don't see your question regarding the dropbox issue in your original post. May be you have created a different thread for this issue ?

    Any way! could you please share more details about your issue with snapshot not uploading to dropbox ? Do you getting any error message on screen or in error_log related to this issue ? If yes then please post that message here so I can determined why exactly its not uploading.

    Also, if you could grant support staff access so I can take a look at your dropbox settings and try to create a snapshot for testing.

    To grant access go to WPMU DEV -> Support -> Support Access -> Grant Access or see this manual.

    Look forward towards your response :slight_smile:

    Best Regards,
    Sajid

  • ken_edelstein

    My apologies, Sajid. You're right: I mentioned my difficulty in getting Snapshot to save to Dropbox in another thread. I wanted to take these two issues up one at a time here.

    I appreciate you helping with the public folder issue. Eventually, my host was able to resolve it. It did have to do with Snapshot not working with Siteground's settings. Could you please check the links you provided earlier to ensure that nothing remains exposed that shouldn't be?

    Because of Siteground's highly recommended status with WPMU DEV, I'm surprised at the settings problems I've had at Siteground regarding Multisite in general and WPMU DEV plugins in particular. Given the marketing assistance that Siteground has received from WPMU DEV, would it be possible for WPMU DEV to check in with them regarding particularly the Snapshot conflict? I have run into several permissions/settings issues with Siteground regarding Multisite and WPMU DEV plugins that didn't come up at my previous host.

    Regarding Dropbox: I assume the problem has something to do with something wrong that I did in the settings. As I said, I cannot find the appropriate guidance to this problem in WPMU DEV's supporting documentation. Rather than get into the whole granting-access thing, I'd like to share with you the Fatal Error I see that I'm getting regarding reauthorization. I am not sure whether that's something I shouldn't place on this public forum, however. Please advice on the best way for me to send it to you.

  • Sajid

    Hi ken_edelstein,
    Hope you are doing good today :slight_smile:

    I can confirm that I don't see snapshots folder listed in uploads folder in your website any more so that seems to be resolved.

    I have my colleague Nastia her site on siteground and she can't replicate this issue. She confirm that snapshot plugin does not change the folder permissions it self. She created a blank new site on her host and see that all folders and files of uploads folder are publicly accessible. So that is more of a hosting issue and we don't have much here to do. I am sorry but we can't tell siteground what to do or not its their own terms of service and privacy policy. As a customer you have right to ask them to fix this issue.

    You can share the error message here but just remove or mask the username from full address. Alternatively granting support staff access is more secure way to check that error and that way I will also be able to see the dropbox settings.

    To grant access go to WPMU DEV -> Support -> Support Access -> Grant Access or see this manual.

    Hope that helps! Feel free to post a reply if you need further assistance :slight_smile:

    Best Regards,
    Sajid

  • Sajid

    Hi ken_edelstein,
    Hope you are doing good today :slight_smile:

    Thanks for granting support staff access I could successfully create a new DropBox destination by authorizing it with my own DropBox account. Then I created a manual test snapshot selected newly created dropbox destination by and it worked just fine (see screenshot).

    I can see the file uploaded on my dropbox account as well (see screenshot).

    I have deleted the test destination created by me on your site after testing.

    Please delete your existing destination, add a new dropbox destination and then try to create a new snapshot by selecting the new destination folder. This should fix the issue.

    Hope that helps! Feel free to post a reply if you need further assistance :slight_smile:

    Best Regards,
    Sajid

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.