Save 25% on our pro plugins with coupon code: SPRING2023
Web Dev + WordPress + Security

They’re Scanning for Your Backup Files

[ Scanning for Backup Files ] Just a reminder to keep your backup files offline. Do not store them in any publicly accessible space. It’s just not worth the risk man. And if you’re working online, you should know this already. If not, then continue reading to learn why it’s absolutely mission critical.

Game over

If someone finds a backup database file on your server, it’s game over. Any sensitive information stored in the database — like usernames, passwords, financial information, and so forth — can be harvested by thieves and used to make your life miserable. In short:

NEVER store your database/backup files in any public directory.

For years I’ve been seeing endless requests for backup database files. The scammers and thieves must be starving to death because there seems to be an increase in the following types of malicious requests (note that these are all from the same server scan):

If that’s not desperation, I don’t know what is.

Save your resources

So the grease bags are scanning for a wide variety of backup files, including requests for just about every combination of commonly used file names and types. Harvesting the previous set of URI requests, we get the following list of extensions:

.com, .sql, .gz, .bak, .zip, .php, .php~, .old, .rar, .tar, .tgz, .bz2, .7z, .txt

Most sites make use of some of these types, such as .php, .zip, and .txt, but many others such as .bak, .com, and .old generally serve no purpose in the public realm. This suggests that you could save some bandwidth and resources by blocking some of these requests outright. For example, you could add the following slice of .htaccess:

RedirectMatch 403 \.(com|sql|bak|php~|old|rar|tar|tgz|bz2|7z)$

Of course, that’s just an example; you would want to further trim the list of file types based on the actual resources available at your site. But the example should give you an idea of how to throttle some of the waste associated with endless scans for backup files.

Honestly, the backup scans are just ridiculous. And the saddest thing is that there must be enough people leaving their backup files online for these sorts of scans to be worthwhile. Really scary if you think about it.

Use a Firewall

Also FYI, my 6G Firewall includes some built-in protection against many types of backup scans. Specifically, requests for any of the following file types are blocked cold:

.bak, .out, .sql, .tar, .rar

So if you’re running 6G and get hit with a malicious scan for backup/database files, you’re protected automatically against a huge number of wasteful requests. And if .htaccess isn’t possible, my firewall plugin is dead easy to customize, so you can block whichever of these file extensions make sense for your site.

About blocking the more commonly used file types, such as .php and .zip, well, that’s up to you. But one thing that is absolutely critical regardless of whether you’re blocking these sorts of specific requests or not: NEVER store your database/backup files in any public directory. Otherwise it’s game over folks.

Jeff Starr
About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

4 responses to “They’re Scanning for Your Backup Files”

  1. Avatar photo
    Adam Robertson 2016/05/07 12:20 pm


    I have also been moving my servers that do the backups behind an IPTABLES firewall so they are only ssh or vpn accessible.

    My front-end website servers are all going to be nothing but front-end website files, backed up nightly.

    Lock it down!!!

  2. Avatar photo

    well I’m using UpdraftPLus für Backups and the directory to store the backup-files is using deny from all in .htaccess. Is this enough protection?

    Cheers, Connie

    • Avatar photo
      Jeff Starr 2016/05/08 9:26 am

      Yes of course .htaccess-level of protection is fine. As long as the backup files are not publicly accessible, it’s all good. Believe it or not some people just leave their backup databases in a public directory, and that’s what the bad guys are targeting. I had to write this article to help educate those who are at risk. In any case, yes definitely Deny from All is more than sufficient for protecting your files.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Excellent (and free) tool to test your site's SSL configuration.
Plugin updates! All of our free and pro plugins ready for WordPress 6.2.
Daylight savings is a complete waste of time and needs to be eliminated.
Got a couple of snow days here in mid-March. Fortunately it's not sticking.
I handle all email in real time as it comes in, perpetually clear inbox for years now.
Added some nice features to Wutsearch search engine launchpad. Now 21 engines!
.wp TLD plz :)
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.