By the Gitify works on my production server, and by default, the _backup/ directory is accessible by anyone.
Of course, a curious visitor can’t browse the directory (Error 403) but the files could be accessible with the full URL such as https://mydomain.tld/_backup/2019-06-22T100636+0200.sql
Maybe a simple .htaccess with a
deny from all in this directory could be a good idea, or move the _backup/ directory outside the /htdocs directory…
And I don’t know if there are sensible informations inside _data directory (credential, user account…), but improve the security for this directory too could be important.
What do you thing ?