Pro Plugin Sale! Save 25% on all pro plugins w/ code: SEASONS
Web Dev + WordPress + Security

They’re Scanning for Your Backup Files

[ Scanning for Backup Files ] Just a reminder to keep your backup files offline. Do not store them in any publicly accessible space. It’s just not worth the risk man. And if you’re working online, you should know this already. If not, then continue reading to learn why it’s absolutely mission critical.

Game over

If someone finds a backup database file on your server, it’s game over. Any sensitive information stored in the database — like usernames, passwords, financial information, and so forth — can be harvested by thieves and used to make your life miserable. In short:

NEVER store your database/backup files in any public directory.

For years I’ve been seeing endless requests for backup database files. The scammers and thieves must be starving to death because there seems to be an increase in the following types of malicious requests (note that these are all from the same server scan):

If that’s not desperation, I don’t know what is.

Save your resources

So the grease bags are scanning for a wide variety of backup files, including requests for just about every combination of commonly used file names and types. Harvesting the previous set of URI requests, we get the following list of extensions:

.com, .sql, .gz, .bak, .zip, .php, .php~, .old, .rar, .tar, .tgz, .bz2, .7z, .txt

Most sites make use of some of these types, such as .php, .zip, and .txt, but many others such as .bak, .com, and .old generally serve no purpose in the public realm. This suggests that you could save some bandwidth and resources by blocking some of these requests outright. For example, you could add the following slice of .htaccess:

RedirectMatch 403 \.(com|sql|bak|php~|old|rar|tar|tgz|bz2|7z)$

Of course, that’s just an example; you would want to further trim the list of file types based on the actual resources available at your site. But the example should give you an idea of how to throttle some of the waste associated with endless scans for backup files.

Honestly, the backup scans are just ridiculous. And the saddest thing is that there must be enough people leaving their backup files online for these sorts of scans to be worthwhile. Really scary if you think about it.

Use a Firewall

Also FYI, my 6G Firewall includes some built-in protection against many types of backup scans. Specifically, requests for any of the following file types are blocked cold:

.bak, .out, .sql, .tar, .rar

So if you’re running 6G and get hit with a malicious scan for backup/database files, you’re protected automatically against a huge number of wasteful requests. And if .htaccess isn’t possible, my firewall plugin is dead easy to customize, so you can block whichever of these file extensions make sense for your site.

About blocking the more commonly used file types, such as .php and .zip, well, that’s up to you. But one thing that is absolutely critical regardless of whether you’re blocking these sorts of specific requests or not: NEVER store your database/backup files in any public directory. Otherwise it’s game over folks.

Jeff Starr
About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
WP Themes In Depth: Build and sell awesome WordPress themes.

4 responses to “They’re Scanning for Your Backup Files”

  1. Adam Robertson 2016/05/07 12:20 pm


    I have also been moving my servers that do the backups behind an IPTABLES firewall so they are only ssh or vpn accessible.

    My front-end website servers are all going to be nothing but front-end website files, backed up nightly.

    Lock it down!!!

  2. well I’m using UpdraftPLus für Backups and the directory to store the backup-files is using deny from all in .htaccess. Is this enough protection?

    Cheers, Connie

    • Jeff Starr 2016/05/08 9:26 am

      Yes of course .htaccess-level of protection is fine. As long as the backup files are not publicly accessible, it’s all good. Believe it or not some people just leave their backup databases in a public directory, and that’s what the bad guys are targeting. I had to write this article to help educate those who are at risk. In any case, yes definitely Deny from All is more than sufficient for protecting your files.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
SAC Pro: Unlimited chats.
BF Sale! Save 40% on all Pro WordPress plugins and books w/ code FRIDAY23
Sincerely trying to engage more on social media. I love the people not the platforms.
All free and pro WordPress plugins updated and ready for WP version 6.4!
Fall season almost here :)
My greatest skill on social media is the ability to simply ignore 98% and keep scrolling without interacting.
Enjoying this summer, getting some great positive energy. Refreshing and inspiring.
☀️ Pro plugin giveaway! Enter to win 1 of 4 lifetime licenses for our WordPress security plugins, including 10-site Security Bundle!
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.