Remaining installer files

  • Resolved shereew

    (@shereewalker)


    7 years, 1 month ago

    Hi there.

    I have migrated numerous site using Duplicator which is a great plugin. However today I installed as usual, packaged it up and then migrated it. I went into the tools on the origin site, ran the ‘delete installation files’ and the ‘delete cache’ then removed the plugin which was set to then remove the entire installation file.

    To be doubly sure, I then logged into my FTP only to find all the files remained. After I realised this, I looked back at a couple of other sites I used it on to find the files remained in there too!

    Last year I was hacked after the installer PHP file was left on my site which was my fault a I did not know, but since then I have followed all the prompts only to find they are still there.

    I have manually deleted all the WP-snapshots folders, but now I don’t feel confident at all that the files are gone.

    I may be missing something, though if I am, it’s not made clear in the migration process.

    Can you shed any light on this?

    Thanks

Viewing 6 replies - 1 through 6 (of 6 total)
  • Cory Lamle

    (@corylamleorg)

    7 years, 1 month ago

    Hey @shereewalker,

    The site where you need to do the file deletion should be on the newly migrated site, and not the origin site. The origin site should not have installer files present unless you installed to the origin site at some point. I think that might be the issue unless I didn’t read your response correctly.

    Thanks

    Thread Starter shereew

    (@shereewalker)

    7 years, 1 month ago

    Hi Cory,

    Sorry I am confused. When creating a package on the origin site, it creates the archive.zip file and installer.php file which is stored there and which you then download from the site and upload to your new site – BUT, after you have downloaded it, they still reside on the origin site, I could in theory download the 2 files a week later – but I don’t want them on there – I assume having them hanging about on the origin site is just as dangerous as having them hanging about on the new site?

    In this case, the migration actually failed (nothing to do with the plugin) so I wanted to remove the package, plugin and files from the origin site which is what I am referring to.

    I guess it would also be the same if I was using the plugin for a backup only. Once I download the files to keep in a safe place, how do I ensure the files are gone.

    Unless I am mistaken and the files you initially generate are not as dangerous as the files that are left on the destination site?

    • This reply was modified 7 years, 1 month ago by shereew.
    Thread Starter shereew

    (@shereewalker)

    7 years, 1 month ago

    One other question – once the files have been downloaded from the origin site, can you just delete the package – I assume once they are downloaded and you have them uploaded to the destination site, you no longer need them on the old site to perform the migration.

    • This reply was modified 7 years, 1 month ago by shereew.
    Cory Lamle

    (@corylamleorg)

    7 years, 1 month ago

    Hey @shereewalker

    The archive.zip file and installer.php on the origin site should be saved with a hashed file name like this:

    itsplugintimephp722_20190111_ea274a22646013fa6234_20190424135300_archive.zip

    So unless you have directory browsing enabled it would be almost impossible for the hacker to guess the file name and access it.

    When you download the installer.php file and upload it to another server that is where the risk comes in because hackers look for an installer.php file by default. So in these cases that is why it’s important to run the installer and remove the files. If you don’t want to keep the installer or archive in the origin site you can remove that as well whenever you want. If you are concerned about this small window the installer also has a password feature built into it.

    If the files are not getting removed when you try to delete them this could be a permissions issue, but the interface should let you know if they are not successfully removed. If not then be sure to submit a support ticket and we can help you determine why the files are not being removed.

    Hope that helps~

    Thread Starter shereew

    (@shereewalker)

    7 years, 1 month ago

    Hi Cory

    Ah I see – sorry that makes much more sense.

    I just saw the installer.php extension

    https://www.dropbox.com/s/l05y0niqqljntw9/files%20.png?dl=0

    And panicked.

    When I use the tool to delete the files, it does come back with a success alert so I don’t know why they are still there. Even after I delete the plugin, that entire WP-snapshots folder with all those files in the image are still there.

    That’s fine though – sorry to flog a dead horse here but just to confirm, if I manually delete the WP-snapshots folder myself after un-installing the plugin, is that all traces gone?

    Thank you so much for your time on this!

    Cory Lamle

    (@corylamleorg)

    7 years, 1 month ago

    Yeah, just delete the plugin and the wp-snapshots folder and there should be no other related Duplicator files.

    Hope that helps~

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Remaining installer files’ is closed to new replies.