HejBit Decentralised Backup Security & Risk Analysis

wordpress.org/plugins/hejbit-decentralised-backup

Securely back up your WordPress site to decentralized storage via Nextcloud and HejBit.

0 active installs v1.0.7 PHP 7.3+ WP 6.7+ Updated Oct 29, 2025
backupdecentralisednextcloudswarmwebdav
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is HejBit Decentralised Backup Safe to Use in 2026?

Generally Safe

Score 100/100

HejBit Decentralised Backup has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8mo ago
Risk Assessment

The "hejbit-decentralised-backup" plugin version 1.0.7 exhibits a generally good security posture, with several positive indicators. The extensive use of prepared statements for all SQL queries (100%) and a very high rate of properly escaped output (98%) are significant strengths. The absence of dangerous functions, file operations, and any recorded vulnerabilities (CVEs) in its history further bolster this positive assessment. The plugin also demonstrates an understanding of WordPress security best practices by including nonce and capability checks.

However, there is a notable concern regarding its attack surface. Out of 3 total entry points, 1 is unprotected. This unprotected entry point is an AJAX handler. While the taint analysis did not reveal any unsanitized paths, the presence of an unprotected AJAX handler presents a potential risk. An attacker could potentially exploit this handler to trigger unintended actions or gain unauthorized access if the handler itself doesn't implement sufficient internal validation or relies on the user being logged in without a proper capability check.

In conclusion, the plugin has a solid foundation in secure coding practices, particularly concerning data handling. The primary area for improvement lies in ensuring all entry points, especially AJAX handlers, are properly authenticated and authorized. The absence of historical vulnerabilities is encouraging but doesn't negate the need to address the identified unprotected entry point.

Key Concerns

  • Unprotected AJAX handler entry point
Vulnerabilities
None known

HejBit Decentralised Backup Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

HejBit Decentralised Backup Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

HejBit Decentralised Backup Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
18 prepared
Unescaped Output
1
44 escaped
Nonce Checks
4
Capability Checks
3
File Operations
0
External Requests
7
Bundled Libraries
0

SQL Query Safety

100% prepared18 total queries

Output Escaping

98% escaped45 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
hejbit_logs_page (HDB.php:1203)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

HejBit Decentralised Backup Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 1

authwp_ajax_hejbit_test_nextcloudHDB.php:1180

REST API Routes 2

GET/wp-json/HDBparamHDB.php:942
GET/wp-json/HDBsavesHDB.php:1004
WordPress Hooks 11
actionhejbit_SaveHDB.php:715
actionhejbit_SaveInProgressHDB.php:716
actionadmin_post_saveNowHDB.php:717
actionnetwork_admin_menuHDB.php:731
actionadmin_menuHDB.php:736
actionadmin_initHDB.php:756
actionadmin_initHDB.php:851
actionadmin_initHDB.php:852
actionadmin_initHDB.php:901
actionrest_api_initHDB.php:940
actionrest_api_initHDB.php:1002

Scheduled Events 10

hejbit_SaveInProgress
hejbit_SaveInProgress
hejbit_Save
hejbit_SaveInProgress
hejbit_SaveInProgress
hejbit_SaveInProgress
hejbit_SaveInProgress
hejbit_SaveInProgress
hejbit_SaveInProgress
hejbit_SaveInProgress
Maintenance & Trust

HejBit Decentralised Backup Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedOct 29, 2025
PHP min version7.3
Downloads357

Community Trust

Rating0/100
Number of ratings0
Active installs0
Developer Profile

HejBit Decentralised Backup Developer Profile

João Metaprovide

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect HejBit Decentralised Backup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hejbit-decentralised-backup/css/style.css/wp-content/plugins/hejbit-decentralised-backup/js/script.js
Script Paths
/wp-content/plugins/hejbit-decentralised-backup/js/script.js
Version Parameters
hejbit-decentralised-backup/style.css?ver=hejbit-decentralised-backup/script.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-nextcloud-logindata-nextcloud-passworddata-nextcloud-url
JS Globals
hejbit_settings
FAQ

Frequently Asked Questions about HejBit Decentralised Backup