Custom field - backup all your content with just one click

Edited by @texnixe on 2016/07/02: The repo currently has its home here:

I know the content of a Kirby site is easy to backup, by simply dragging the folder from the server to your local system.

###Why a backup function?###

But my client wanted an even more easy workflow, for backing-up all his / her files (text / images), without the need to struggle with sFTP-accounts, Dropbox-sync, etc…

He was used to Wordpress, which has a default file-revision function (you can track all the changes made in your text, from within the panel and roll back if needed).

So I created a custom field which allows you to back-up the complete \content folder with one click on a button…

###How it works###

Download the plugin from my Github page - and be sure to check the file before using it.

Is it secure?###

I tried to secure this new function as best as possible;

  • Only one .zip-file is created at most (older files are automatically deleted).
  • The .zip-file has an unique, random file-name (preventing direct downloads).
  • The backup-creation script must be called from the same server - direct access is forbidden.
  • Only POST-requests are valid - and must match some standard syntax-settings.
  • Hot-linking to every file in the \backup\ directory is forbidden.
  • A .htaccess file in the \backup\ directory secures all actions and files.
  • After creating and downloading the .zip (which contains all the content) you can delete the original at once.
  • etc…

###Please, report any bugs###

I do realize this extra feature can introduce a new attack-vector (like all functions on a website can)…

…so I hope someone will check the source-code and do a basic security audit on it (just to be sure, in order to prevent leaks I did not see myself).


Why do you use an external script? You could also implement this using a route in a plugin. This would make it possible to check for user permissions and if a user is even logged in.

I think that this is a great idea in general, but I wouldn’t recommend using it with the external script. It’s very easy to fake the Referrer header. :wink:

I know it’s easy to fake the header, but I decided it’s better than nothing (also, the .htaccess restricts all access).

I only know Kirby for a week now… so I’m adopting the best way to create things like this…

I’ve read about routing and user-permissions, but I’m not sure how to create your own “route” with a plug-in structure.

More suggestions are welcome!

Well, no. It doesn’t at all if you fake the headers. You could currently access the PHP file with a faked header to create a backup and then download the ZIP also using a faked header.

BTW: Another backup solution that comes to my mind is the Git-commit-and-push-content plugin. You can use that to create a backup on a remote Git server in the same moment any content is changed in the Panel.
I know that this isn’t as easy as downloading a ZIP, but on the other hand users won’t need to do anything manually.

I will check out the plug-in routing option, that seems more secure.

Most clients don’t have / want a Github account for back-ups - so I really need a simple solution :smile:

The script isn’t live on any server - it’s just a try-out and I will update it with the routing option first.

Of course you can already download a complete site with a tool like Httrack, so the script itself does not open any doors that should be closed :stuck_out_tongue:

That depends on what your content directory contains. :wink:
It might as well contain password-protected data.

Okay, so I made my first Kirby plugin ever, with a custom route and a security check on the user (so you can’t create a backup, if you’re not logged in / registered as an user).

###And I did fine-tune some things;###

  • The file size of the backup is shown.
  • The backup file contains the domain-name (which can come in handy, when backing up several domains).
  • The option to delete a backup is now recommended in the text (for security reasons).
  • Fixed some typos.
  • etc…

I guess this new version offers a more secure way for creating, downloading and maintaining your sites content - let me know in the comments.

###POST vs. GET using a custom route###

But I do have one question; the backup-script (located in site/plugins/backup/backup.php) is called from the panel, using an AJAX-call (triggered from site/fields/backup/backup.php).

Basically, this AJAX-calls request a page, using a route, which is defined as sitename/content-backup/?action=create.

This works fine, as long as I use a GET-parameter for the AJAX-call… but I prefer a POST-parameter - so you can’t see / sniff the variables used in the URI.

A POST-call returns a 404 - page not found in my developers console, while a GET-call does work… any idea why I can’t use a POST-method here?

It’s not a big issue, I guess - but it’s my first plugin (and first script using Kirbies route-option), so maybe I’m doing something wrong?

The route-option is declared in site/plugins/backup/backup.php.

###Direct links to these files###

  1. backup.php -
  2. backup.js -

###Update - version 0.0.3###

Updated the little rascal with an option to show all backupped files after the creation of a backup.

1 Like

The reason POST does not work is that routes only listen for GET requests by default. You can use 'method' => 'POST' to only allow POST requests.

Since your code is a bit hard to read (no indentation), I can’t really tell whether it is secure or not.

Thanks for the helping hand.

The docs at Kirby are outstanding documented - but sometimes it’s hard to find a specific settings / variable / option for my issues… (but I think that’s my problem only).

Glad you helped me out with the POST option, I updated the plugin - and also restored the original indentation;

I used a default indentation of 2 spaces, but something went wrong copy/paste the codes into GitHub (I don’t use a client to push the codes - just a simple copy/paste because I do a lot of editing from my tablet and I don’t want a GitHub client installed on that device).

Yes, that’s true. We are currently working on the documentation to improve the structure.
Do you have any specific feedback on the routing page? Where did you look for it/expect it?

I don’t have any specific feedback, so I can’t help you out :smile:

My experience is that literally every little detail of Kirby (API) is documented on this site, but sometimes hard to find (sometimes it even looks like Google can’t index the content very well? Both for the forum as the docs-section… even a search with “ IamLookingForThisKeyWord” do not always return proper results).

Once I know the solution (like the POST / GET toggle for the routing-option) it’s easy to find it on the site - but I could not find it, before I knew the existence of this option…

Maybe it’s a good idea to include more “complete” samples, from real live situations - so you can (as a starting Kirby addict) find and re-use code-blocks, without jumping from page to page, helper to helper and API-option to… API-option?

I also have another issue (overriding the default settings for a number-field) but I’ll post that in a new threat, in order to keeps things clean and separated.

That’s what we are currently trying to do. Stay tuned. :wink:

Does anyone know what happened to this plugin? The Github project isn’t available anymore and dMotion isn’t a user here anymore …

@dMotion has changed his username, now he is @1n3JgKl9pQ6cUMrW

The repo is here:

Thanks :slight_smile: that’s good news!

Do you also know which Plugin is used to get the tabbed site options?


I did change my GitHub name, so all my Kirby-plugins are now collected at one page.

As we speak, I am rewriting most of the extensions - because they are not working nice with Kirby 2.2

The backup/ icon-field / tabbed-interface are allready fixed - but I did not push them to the master; I will check them once again this weekend and will update them this weekend.

tabbed interface

icon field (upper left)

content backup

Especially the last one is giving me headaches, because the Javascript-routing isn’t working…

Uncaught TypeError: Cannot read property 'match' of undefined - app.min.js?v=2.2.1:42

Hmmm… seems like Kirby is hooking all anchors in the panel with a nice RegEx… including the anchors I created for the backup-field… which causes the plug-in to crash, fired by Kirby.

Guess I’m going to find myself a new job :stuck_out_tongue:

Hi @1n3JgKl9pQ6cUMrW, at the moment the backup-plugin seems to be unavailable. Are there plans to make it available again?

Previous version didn’t work with Kirby 2.3 - this version does… (well, at least with my set-up).

1 Like

Great, thanks! I’ll try it tomorrow :smiley: