WP-Safety

Automatic WordPress Backup Security & Risk Analysis

wordpress.org/plugins/automatic-wordpress-backup

Automatically back up important bits of your WordPress install to Amazon S3.

300 active installs v2.0.3 PHP + WP 2.8+ Updated Aug 11, 2010
backup-automatic-s3-zip-backups-scheduled
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Automatic WordPress Backup Safe to Use in 2026?

Generally Safe

Score 85/100

Automatic WordPress Backup has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 15yr ago
Risk Assessment

The "automatic-wordpress-backup" v2.0.3 plugin exhibits a concerning security posture primarily due to a lack of robust authentication and output escaping mechanisms. While the plugin has no recorded vulnerability history, this is overshadowed by significant risks identified in static and taint analysis. The presence of an unprotected AJAX handler, coupled with the use of dangerous functions like `shell_exec` and `unserialize`, alongside a complete absence of output escaping, creates a fertile ground for potential attacks. The lack of capability checks is also a major red flag, implying that sensitive operations might be accessible to unauthorized users. Although the absence of critical taint flows and known CVEs are positive indicators, they do not mitigate the immediate risks posed by the exposed attack surface and insecure coding practices.

Key Concerns

  • Unprotected AJAX handler
  • Dangerous functions used (shell_exec, exec, unserialize)
  • No output escaping
  • No capability checks
  • SQL queries with low prepared statement usage
  • Flows with unsanitized paths
Vulnerabilities
None known

Automatic WordPress Backup Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Automatic WordPress Backup Code Analysis

Dangerous Functions
8
Raw SQL Queries
6
1 prepared
Unescaped Output
25
0 escaped
Nonce Checks
1
Capability Checks
0
File Operations
17
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

shell_execif ( is_null(@shell_exec('ls')) ) {automatic-wordpress-backup.php:243
shell_exec} elseif ( is_null(shell_exec('which zip')) ) {automatic-wordpress-backup.php:249
shell_exec$result = shell_exec('zip -r ' . $file . ' ' . implode(' ', apply_filters('awb_backup_folders', $bacautomatic-wordpress-backup.php:712
shell_exec$result = shell_exec('zip -u ' . $file . ' awb-database-backup.sql');automatic-wordpress-backup.php:723
shell_exec$result = shell_exec('zip -u ' . $file . ' manifest.txt');automatic-wordpress-backup.php:749
execexec("wget --no-check-certificate -O backup.zip '" . $s3->getObjectURL(get_option('s3b-bucket'), $_Pautomatic-wordpress-backup.php:819
execexec('unzip backup.zip');automatic-wordpress-backup.php:820
unserializeif ( !(preg_match('|Machine Readable: (.*)|', $manifest, $matches) && ($manifest = unserialize($matcautomatic-wordpress-backup.php:831

SQL Query Safety

14% prepared7 total queries

Output Escaping

0% escaped25 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
init (automatic-wordpress-backup.php:48)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Automatic WordPress Backup Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 2

authwp_ajax_awb_restoreautomatic-wordpress-backup.php:1187
authwp_ajax_awb_runningautomatic-wordpress-backup.php:1188
WordPress Hooks 12
actionadmin_noticesautomatic-wordpress-backup.php:85
actionadmin_noticesautomatic-wordpress-backup.php:86
actionwdc-menu-pagesautomatic-wordpress-backup.php:1185
actions3-backupautomatic-wordpress-backup.php:1186
actionadmin_initautomatic-wordpress-backup.php:1189
actionwp_headautomatic-wordpress-backup.php:1190
filtercron_schedulesautomatic-wordpress-backup.php:1192
filterwdc_pluginsautomatic-wordpress-backup.php:1194
filterwdc-settings-urlautomatic-wordpress-backup.php:1195
filterwdc-settings-pageautomatic-wordpress-backup.php:1196
actionwp_footerwdc\wdc.class.php:80
actionadmin_menuwdc\wdc.class.php:81

Scheduled Events 2

s3-backup
s3-backup
Maintenance & Trust

Automatic WordPress Backup Maintenance & Trust

Maintenance Signals

WordPress version tested3.0.5
Last updatedAug 11, 2010
PHP min version
Downloads53K

Community Trust

Rating100/100
Number of ratings2
Active installs300
Alternatives

Automatic WordPress Backup Alternatives

WP S3 Backups

WP S3 Backups

wp-s3-backups

A
85

Automatically back up important bits of your WordPress install to Amazon S3.

30 No CVEs
Developer Profile

Automatic WordPress Backup Developer Profile

DanCoulter

7 plugins · 640 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Automatic WordPress Backup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/automatic-wordpress-backup/wdc/wdc.js/wp-content/plugins/automatic-wordpress-backup/wdc/wdc.css
Version Parameters
automatic-wordpress-backup/wdc/wdc.js?ver=automatic-wordpress-backup/wdc/wdc.css?ver=

HTML / DOM Fingerprints

CSS Classes
awb-warning
JS Globals
cmAWB
FAQ

Frequently Asked Questions about Automatic WordPress Backup