Overview
JetBackup for WordPress stores backup-related data in a folder under your WordPress uploads directory. This folder typically has a randomized suffix (e.g. jetbackup-d91d3a495dad) and may include an .htaccess file so that on Apache the directory is not publicly accessible. Confirm your actual data path in WordPress → JetBackup → Settings (Alternate Data Directory) or in the plugin dashboard.
When your site is served by nginx, .htaccess rules are not processed. You must block access to the JetBackup data folder at the nginx level so that backup data is never exposed to the public.
Why This Matters
- The data folder can contain metadata and paths related to your backups. It should never be reachable via the web.
- A URL like:
https://yoursite.com/wp-content/uploads/jetbackup-XXXXXXXX/should return 403 Forbidden, not directory listing or file access. - Apache uses .htaccess; nginx does not. If you use nginx (or a reverse proxy in front of Apache), you need an explicit nginx rule.
Recommended Rule
Block access server-wide to any path matching:
wp-content/uploads/jetbackup-*/
This covers all current and future JetBackup data folders that use this pattern (the suffix is random per installation). If you use an alternate data directory outside this path, add a corresponding nginx rule for that path.
How to Block the Data Folder in Nginx
Option 1: Inside Your WordPress Server Block
Add a location block before your main WordPress handling (e.g. before location / or location ~ \.php$):
# Block JetBackup for WordPress data folder (nginx does not use .htaccess)
location ~* ^/wp-content/uploads/jetbackup-[^/]+/ {
deny all;
return 403;
}
Option 2: In a Dedicated Config Snippet
If you use include files (e.g. conf.d or snippet includes), add the same block in a file such as jetbackup-wp-secure.conf and include it in the server block that serves your WordPress site:
# Include in your server {} block, e.g.:
# include /etc/nginx/conf.d/jetbackup-wp-secure.conf;
location ~* ^/wp-content/uploads/jetbackup-[^/]+/ {
deny all;
return 403;
}
Reload Nginx
After editing the configuration:
# Test configuration sudo nginx -t # If the test passes, reload nginx sudo systemctl reload nginx
(Adjust for your OS: service nginx reload, or your panel's "Reload Nginx" option.)
Verify It Works
- Note your JetBackup data path from the plugin (e.g. WordPress → JetBackup → Settings or the path shown in the dashboard). It will look like:
wp-content/uploads/jetbackup-XXXXXXXX/ - Open a browser or use
curland visit:https://yoursite.com/wp-content/uploads/jetbackup-XXXXXXXX/ - You should see 403 Forbidden. If you see a directory listing or any file content, the rule is not in effect for that server or vhost.
