Your S3 WordPress Backups are Unsafe

Most of the popular free and paid WordPress backup plugins such as Backup Buddy or Updraft Plus come with the ability to store the backups on a cloud service like Amazon S3. Offsite storage of the backup is a critical requirement for any good backup solution. If you are not using offsite backups, do so right away – sign up for our 7 day trial now.

The way these plugins implement this important feature however creates a security hole in your system. Your backups may not be as safe as you think.

Leaving the key in the open

Consider a scenario, where you have valuables that you would like to protect. You get a bank locker to safely store the valuables. Ideally you would like to keep the key to this locker in a safe place. Instead, just imagine if you keep these keys at your home, and not only that, you also put a nice, big label on the keys.

The above is obviously not a very smart thing to do. When someone breaks into your home they will not only get the stuff in your home, but they will also get the keys to the safe. Your locker will no longer protect you.

Hackers can steal your Amazon S3 key

The same problem exists with the free and paid backup plugins. While they will help you upload the data to your S3 account, they store the S3 key, which is used to copy your backups, on your site itself.

WordPress sites are often targeted by hackers. If your site gets hacked, the hackers will get the keys to your S3 account. The hackers will not only ruin your site, but they can also destroy your backups.

Robbing the whole neighborhood

WordPress Security

This problem is further exacerbated in the following situation. Imagine a scenario, where everyone in your neighborhood has a master key, which can be used to access every home in the neighborhood. You might trust your neighbors, and have no problem with such an arrangement. If you are away on a holiday, you can ask any of the neighbors to check that the gas is turned off at your home. There are other benefits with such an arrangement. However the downside is also very obvious. Even if one of the master keys is lost, the entire neighborhood will be vulnerable.

One key to rule them all

The above situation is exactly what happens when you use the same S3 or Dropbox account to back up multiple sites. This is a very common practice among designers or those with many websites. To backup multiple sites, it is economical to buy a developers license of any of the backup plugins. The big mistake will be to use the same S3 account to backup all the sites. Even if one of the sites is hacked, all the other sites will be compromised too.

Solution – Separate the backup from the original data

We recommend evaluating these plugins very carefully. A good WordPress backup service, will completely separate the backups from the original data. Losing the actual site should in no way compromise the backups. We at blogVault follow the best practices, and completely separate the backup from the actual site.

We keep copies of the data on 2 of our servers. Further we backup all of this data again onto our own S3 account. Finally, our servers are kept completely independent of the actual sites. Even if a site is hacked, there is no way for the hacker to access our servers or the backups.

Try out blogVault – sign up for our 7 day trial now.

Takeaways

  • Offsite storage is critical to any backup solution

  • Backup plugins store the S3 key in the WordPress site itself

  • The S3 key needs to be kept safely. If the site gets hacked the key will be stolen.

  • Use a complete WordPress backup service which separates backups from the original site.

EDIT: David from UpdraftPlus has mentioned that there are advanced settings in S3 which can reduce the risk associated with the S3 key being exposed. While these security measures do alleviate the problems a bit, and we do recommend them, they come at a cost. They lead to dramatically poorer user experience. They also can be further exploited by hackers to make it much more difficult to restore the site. The hackers can even exploit the hack to increase your S3 storage charges. We hence continue to advice against sharing using your S3 key in your backup plugins.

  • http://david.dw-perspective.org.uk/ David Anderson

    Hi,nnnThis is FUD. The UpdraftPlus website explains how to set up S3 and your access keys so that a website hacker cannot delete your existing backups. It is here; http://updraftplus.com/faqs/what-settings-should-i-use-for-amazon-s3-and-how-should-i-configure-my-amazon-s3-account/nnnThe same information applies to every other backup plugin.nnnI would be grateful if you would retract the false claim about UpdraftPlus, and not make claims about UpdraftPlus in your marketing.nnnMany thanks,nDavid

    • editorbv

      Thanks for your comment. We have added a postscript with your comment. The suggestions made by you do improve the security, but they still pose challenges. The hacker can make it extremely difficult to recover the site even if versioning is enabled on the S3 bucket. Hundreds of versions of the backup file can be inserted making it very difficult to identify the right backup. The hackers can store gigabytes of files to the bucket pushing up the cost of your S3 account. There are many such pitfalls.

      • http://david.dw-perspective.org.uk/ David Anderson

        Hi,nnI appreciate and am impressed by your honesty and transparency in posting my comment.nnMy point is that weighing up security risks needs a total assessment of all the pros and cons. With UpdraftPlus and other plugins, I can send my backups to multiple destinations (not S3 only). The worst a hacker can do is add bogus data to my S3 account and add extra backups to confuse me. An attacker who is doing that must have a lot of time and motivation available. With that much time and motivation, he could also decide to launch attacks against your servers, presumably, and take them off the Internet. Is that risk bigger or smaller? That’s a judgment call, not a clear right/wrong situation.nnThe risks of having my own S3 account are risks I can control and know about. It is more difficult to control and know about the security of another company’s servers (since not many companies are as big as Amazon!), or what practices they are using to store data in S3 (one key or many?), or whether they will close their business the week before I need my backup. Your model of having backups for 30 days is also a risk – what if someone doesn’t realise that their site has been secretly hacked until after 31 days? You seem very professional and competent, and so I am sure you have thought about these questions. My point is not to say that there are no risks here or there. My point is that there are always risks. I am glad that you added the note to make clear that the situation was not as simple as one solution being perfect and the other being wrong!nnnBest wishes,nDavid

        • editorbv

          Thank you. We love a good meaningful conversation, and the points you had raised were valid.nnI again agree that there are no absolutes here. There are pros and cons to any decision. We strongly believe that the backup should be completely independent of the actual site. We are addressing this concern in this article.nnnWe do take the security of our service very seriously, but I can completely understand the concerns you have mentioned. The onus is on us to make sure that these issues are dealt with in the best possible manner to reduce the impact on the customer.nnIn the past 4 years we have seen hackers go to extreme lengths, and hence we do wish that the customer is prepared for the worst. Automated scripts however mean that the hacker need not specifically need to put in much effort once they get into a site to wreak havoc.nnAgain, thanks for participating. All things said, we love the work you are doing. blogVault is not suitable for everyone, and I know that UpdraftPlus is respected by the community.