Introduction

A backup archive left in the public web root can expose far more than a normal page. Database dumps, configuration files, uploads, and application source code may all be downloadable if the archive is reachable over HTTP. The fix is to remove public access immediately and then assume anything inside the backup may have been exposed until proven otherwise.

Symptoms

  • A .zip, .tar, .sql, or similar backup file is accessible from a public URL
  • Security scans or search results reveal downloadable backup archives on the site
  • The archive contains application code, credentials, database exports, or user files
  • The file was created during migration, troubleshooting, or backup testing and never removed
  • You cannot confirm whether unknown users downloaded the archive already

Common Causes

  • Manual backups were written into the web root for convenience
  • A backup plugin stored archives in a publicly accessible directory
  • Deployment or migration scripts exported files into the document root temporarily
  • Directory indexing, predictable filenames, or robots exposure made the archive easy to discover
  • Cleanup processes focused on current app files and missed leftover backups

Step-by-Step Fix

  1. Remove public access to the archive immediately by deleting it from the web root or blocking the URL path at the server layer.
  2. Identify what the archive contains so you can assess whether credentials, database contents, or private files were exposed.
  3. Review access logs and surrounding traffic patterns for evidence that the file was requested or downloaded.
  4. Rotate any credentials, tokens, or secrets stored in the archive if exposure cannot be ruled out confidently.
  5. Treat database dumps and user data as potentially disclosed and follow your incident response and notification requirements where applicable.
  6. Search the server for additional backup artifacts in public directories, not just the one file you found first.
  7. Move future backups to storage locations outside the document root with proper access controls.
  8. Re-scan the site to confirm no backup archives remain reachable from the public web.
  9. Update backup and migration workflows so temporary archives cannot be left behind in a live serving path.