Disable FTP Delete for Backup Security

Updated on March 16, 2021
Disable FTP Delete for Backup Security header image

Introduction

Backing up a web server with FTP is a popular choice. However, it's hazardous to give the web server delete access because unauthorized users could delete the backups. This guide demonstrates how to configure vsftpd, a popular FTP server, to deny delete access. The web server and FTP server are physically separate in different datacenter locations. This guide uses WordPress and UpdraftPlus, a popular backup plugin, but you can substitute any server and backup method that uses FTP to upload files. The FTP server configuration is the important factor in this example.

Prerequisites

  • Install a One-Click WordPress app.
  • Install the UpdraftPlus backup plugin in WordPress.
  • Install a Vultr Ubuntu 20.04 LTS server, preferably in a different location than WordPress, as the FTP backup server.

Install vsftpd

  1. SSH to the FTP server as root.

  2. Install vsftpd.

     # apt install vsftpd
  3. Create a user for FTP backups. Choose a strong password.

     # adduser ftp-user
  4. Edit the vsftp configuration.

     # nano /etc/vsftpd.conf
  5. Uncomment the following lines to allow ftp-user to login and create files.

     local_enable=YES
     write_enable=YES
  6. Add the following line to deny file deletes.

     cmds_denied=DELE
  7. Restart the vsftpd service.

     # systemctl restart vsftpd

This completes the FTP server setup. The ftp-user account uploads files to /home/ftp-user.

Configure UpdraftPlus Backups

  1. Navigate to the UpdraftPlus setup screen on your web server.

     https://www.example.com/wp-admin/options-general.php?page=updraftplus
  2. Click the Settings tab.

  3. In the Choose your Remote Storage section, click the FTP icon.

  4. In the FTP configuration section, enter the server, login, password, and remote path. For example:

    • FTP server: example.com
    • FTP login: ftp-user
    • FTP password: YourStrongPassword
    • Remote path: /home/ftp-user
  5. Click the Test FTP Settings button. Verify the test is successful.

  6. Click the Save button at the bottom of the page.

Test the Backup System

  1. Navigate to the UpdraftPlus backups page.

     https://example.com/wp-admin/options-general.php?page=updraftplus
  2. Click the Backup Now button.

  3. Choose your backup options from the popup and start the backup.

  4. SSH to the FTP server as root.

  5. Check the backup folder.

     # ls /home/updraft-user

    Verify the new backup exists. It usually consists of several files.

  6. On the UpdraftPlus backup page, click the Delete button next to the new backup.

  7. Select the option Also delete from remote storage in the popup confirmation.

    When finished, the web console shows that UpdraftPlus deleted the backup. However, if you check the FTP server, the files are still there, because the FTP server ignored the delete command.

     # ls /home/updraft-user
  8. On the UpdraftPlus backup page, click the Rescan remote storage link. UpdraftPlus discovers the backup files still exist and adds them back to the list.

Conclusion

This configuration prevents a website attacker from deleting your backups. However, there is a trade-off between convenience and security. As a side effect, UpdraftPlus can no longer automatically expire old backups. You may need to configure an expiration task on the FTP server.