The UpdraftPlus plugin, widely used for WordPress site backups, has recently come under fire due to concerns over its Google Drive API permissions. Users have raised objections to the plugin’s ownership of the “drive.readonly” permission, which essentially grants access to view and download all files in the connected Google Drive.


updraftplus drive API permission


The main point of contention revolves around the fact that UpdraftPlus, as the API owner, can potentially access and download all the files present in the connected Google Drive. This level of access is seen as unacceptable, even if the API is limited to accessing only specific backup directories.

The issue has been brought up in the WordPress support forum where users have expressed discomfort with granting such broad access to their Google Drive data. Despite the concerns raised by users, the plugin’s developers have denied the necessity of possessing view and download permissions for the entire Google Drive.

The primary concern for users is that they do not want to grant UpdraftPlus permission to view and download their entire Google Drive, especially when their intention is solely to backup website data.

The lack of transparency and timely response from UpdraftPlus has amplified user frustration. Without adequate clarification or justification for the requested permissions, users are left questioning the necessity and intentions behind granting UpdraftPlus unfettered access to their entire Google Drive.

Adding to the mounting concerns, another plugin from the same maintainer, “All In One WP Security & Firewall,” has come under scrutiny. Recent discoveries revealed a critical bug within “All In One WP Security & Firewall,” resulting in storing user passwords in plaintext format. This alarming vulnerability further highlights the need for comprehensive security practices across all plugins associated with UpdraftPlus.


In light of these issues, users are advised to take proactive measures to protect their data. One recommended action is to deauthorize UpdraftPlus from accessing their Google Drive. This can be done by navigating to the Google Account settings, specifically the “Third-party apps & services” section, where users can find UpdraftPlus and remove its access. Alternatively, users can follow the link provided within the UpdraftPlus plugin settings, under the “Authenticate with Google” section, to de-authorize UpdraftPlus from accessing their Google Drive.

Despite the controversy surrounding Google Drive API permissions, it’s worth noting that UpdraftPlus remains a reliable plugin for local backup storage. Users who prefer to retain the benefits of the plugin for local backups can still utilize its functionality without granting access to their Google Drive.