Securing the JetBackup for WordPress Data Folder When Using Nginx

Overview

JetBackup for WordPress stores backup-related data in a folder under your WordPress uploads directory. This folder typically has a randomized suffix (e.g. jetbackup-d91d3a495dad) and may include an .htaccess file so that on Apache the directory is not publicly accessible. Confirm your actual data path in WordPress → JetBackup → Settings (Alternate Data Directory) or in the plugin dashboard.

When your site is served by nginx, .htaccess rules are not processed. You must block access to the JetBackup data folder at the nginx level so that backup data is never exposed to the public.

Why This Matters

  • The data folder can contain metadata and paths related to your backups. It should never be reachable via the web.
  • A URL like: https://yoursite.com/wp-content/uploads/jetbackup-XXXXXXXX/ should return 403 Forbidden, not directory listing or file access.
  • Apache uses .htaccess; nginx does not. If you use nginx (or a reverse proxy in front of Apache), you need an explicit nginx rule.

Recommended Rule

Block access server-wide to any path matching:

wp-content/uploads/jetbackup-*/

This covers all current and future JetBackup data folders that use this pattern (the suffix is random per installation). If you use an alternate data directory outside this path, add a corresponding nginx rule for that path.

How to Block the Data Folder in Nginx

Option 1: Inside Your WordPress Server Block

Add a location block before your main WordPress handling (e.g. before location / or location ~ \.php$):

# Block JetBackup for WordPress data folder (nginx does not use .htaccess)
location ~* ^/wp-content/uploads/jetbackup-[^/]+/ {
    deny all;
    return 403;
}

Option 2: In a Dedicated Config Snippet

If you use include files (e.g. conf.d or snippet includes), add the same block in a file such as jetbackup-wp-secure.conf and include it in the server block that serves your WordPress site:

# Include in your server {} block, e.g.:
# include /etc/nginx/conf.d/jetbackup-wp-secure.conf;

location ~* ^/wp-content/uploads/jetbackup-[^/]+/ {
    deny all;
    return 403;
}

Reload Nginx

After editing the configuration:

# Test configuration
sudo nginx -t

# If the test passes, reload nginx
sudo systemctl reload nginx

(Adjust for your OS: service nginx reload, or your panel's "Reload Nginx" option.)

Verify It Works

  1. Note your JetBackup data path from the plugin (e.g. WordPress → JetBackup → Settings or the path shown in the dashboard). It will look like: wp-content/uploads/jetbackup-XXXXXXXX/
  2. Open a browser or use curl and visit: https://yoursite.com/wp-content/uploads/jetbackup-XXXXXXXX/
  3. You should see 403 Forbidden. If you see a directory listing or any file content, the rule is not in effect for that server or vhost.

For further help, see JetBackup Documentation or contact JetBackup Support.

  • 0 Bu dökümanı faydalı bulan kullanıcılar:
Bu cevap yeterince yardımcı oldu mu?

İlgili diğer dökümanlar

Where do I download JetBackup for Wordpress?

Here is the way to download your purchased JetBackup for WordPress zip file from the JetApps...

Using cPanel cron to ensure scheduled backups run on a staging site

JetBackup for WordPress utilizes WordPress' WP-cron feature to execute schedule backups. However,...

Issues logging into Backup-Guard after upgrading to Wordpress v6.2

We have received reports of issues logging into the Backup-Guard legacy plugin after updating...

Scheduled Backup is not executing

We've received reports that the Scheduled Backup was not being executed. In some cases, the...

Restored Backup, but the website didn't change

If you encountered issues after successfully restoring a backup on JetBackup for WordPress, but...