Skip to main content

Storage Permissions

Backups usually contain secrets (database dumps, wp-config.php, cookies, logs). If an attacker can read your backup directory, they can often take over the site. Permissions and placement are part of backup design.

Quick Summary
  • Never store backups inside the webroot.
  • Restrict backup directories to root or a dedicated backup user.
  • Use umask 077 so new artifacts are not world-readable.
  • Verify permissions end-to-end (including parent directories).

Where backups should live

Prefer paths like:

  • /backups
  • /srv/backups

Avoid:

  • /var/www/html (webroot)
  • wp-content/uploads (often public)

Set safe directory permissions

lock-down-backup-directory.sh
sudo mkdir -p /backups
sudo chown root:root /backups
sudo chmod 700 /backups

If you use a dedicated backup user:

create-backup-user-and-directory.sh
sudo useradd --system --create-home --shell /usr/sbin/nologin backup || true

sudo mkdir -p /backups
sudo chown backup:backup /backups
sudo chmod 700 /backups

Ensure new files are private

In backup scripts, set:

set-private-umask.sh
umask 077

This prevents accidental 0644 artifacts.

Verify permissions (including parent paths)

Use namei to see permissions on each component:

verify-permissions-with-namei.sh
namei -l /backups
namei -l /backups/wp-db-2026-03-01.sql.zst

Protect remote storage credentials

Remote tools like rclone and SSH keys are also secrets.

  • Restrict ~/.config/rclone/rclone.conf.
  • Restrict backup SSH keys under ~/.ssh/.
restrict-rclone-and-ssh-secrets.sh
chmod 700 ~/.config ~/.ssh
chmod 600 ~/.config/rclone/rclone.conf ~/.ssh/wp-backup ~/.ssh/wp-backup.pub
warning

Do not include cloud credentials inside the same backup artifacts you upload offsite. A stolen encrypted backup is bad; a stolen backup plus the credentials to your remote storage is worse.

Next steps

  • Excluding sensitive files: opt/docker-data/apps/docusaurus/site/docs/server/linux-server/10-backup-disaster-recovery/excluding-folders.mdx.
  • Email logs and alerts: opt/docker-data/apps/docusaurus/site/docs/server/linux-server/10-backup-disaster-recovery/email-backup-logs.mdx.