Wordpress LScache Plugin: .lscache_htaccess_bak.zip is not protected
Currently the plugin ist saving its backup files in a zip-file named .lscache_htaccess_bak.zip in the websites root directory, if there have been more than 10 consecutive changes to the plugins configuration over time. The zip-file is downloadable for everyone via browser and its not even passwordprotected. So everyone can have a look at the htaccess configuration of the website. It may contain confidential configuration data, like paths, usernames etc. The standard htaccess is not readable via browser exactly for the security reasons mentioned before. Why isnt your zip-file? Why dont you store it in a htaccess-protected folder? Or add the follwing lines in the htaccess code added by your plugin Order allow,deny Deny from all so that not everybody can download it? Best regards, Karsten Thanks for your advise. We will improve the name to .htaccess_lscache_bak.zip due to the protection provided by LSWS to all files started with .hta. Thank you very much! Hi, this is done in https://github.com/litespeedtech/lscache_wp/commit/d306acdf6aa64edc953dcb94a2f8975d8bb5350f and will be in v3.0. Since then, the .htaccess backup will have only one .htaccess.bk which is the original file before LSCWP operates. Thanks for your suggestion again.