The popular WordPress plugin Duplicator has just announced a new vulnerability with out of date versions. The vulnerability allows anyone access to the URL of backup files without any authentication needed.
How does this affect your website?
This means if you have recently done a backup of your website, there is a backup file on your server that malicious people can easily target and download all source files and data of your website.
How do I know if someone downloaded a backup file and if so what do I do?
There will be no way for you to know if anybody has already downloaded an available backup file. Since you can’t know for sure, we recommend that you do a complete reset of all the following passwords:
- Database user password
- FTP/SFTP password
- Server root password
- All WordPress administrator users passwords
- All other WordPress users passwords
- Any other relevant passwords that are being used by your WordPress website & 3rd party plugins that require you to authenticate by entering a password in the plugin.
How do I resolve this vulnerability
According to the plugin author the latest version (1.4.7) has resolved the vulnerability. This means you need to simply update the plugin to the latest version in your WP admin dashboard.