托管服务器上的网站backup.zip文件对黑客或机器人安全吗？

Question

Many people Make their website backup.zip on their hosting server,

A zip file are place on same directory where Index.php exists.

So if i use this link my backup will download http://www.example.com/backup.zip

If I don't share my backup filename/link, is it safe from hackers or robots?

Is there any function that give my all files and directory name?

How to secure backup.zip file on hosting server?

I post this question here because I think Developers know best about Hacking / robots attack / get directory / get files from another server

Answer 1

There is many way to protect your files from the eyes of internet.

The simplest one is to have a index.html, index.html, or index.php file, into the directory who contain your backup.zip, but the file still can be acceded if someone guess his name and call it from his URL like this: www.example.com/backup.zip

To avoid this issue: most of the webservers provide a way to protect your file. If we assume you are under Apache2 you must create a rule into a .htaccess file (who is located into the same directory of your file) to prevent people from accessing your backup.zip.

eg:

<Files backup.zip>
    Order allow,deny
    Deny from all
</Files>

if you are not under Apache2, you could find the answer by checking the documentation of your HTTP server.

Answer 2

Your file is not safe as it is, as /backup.zip is the most obvious path that hackers can guess.

So to protect the zip file from unauthorised access, move it to the separate folder and create .htaccess with the following content:

Deny from all   
# Turn off all options we don't need.
Options None
Options +FollowSymLinks

To make this work, your Apache needs to use mod_rewrite with option AllowOverride All for that folder to allow the .htaccess file to be run (which usually it is configured by default).