Anonymous site visitors must not be able to download backups of your website database. That’s why you should use a
private directory next to (and thus outside of) your application’s
docroot as a protected assets path.
Boxfile, declare the “private” directory as permanent storage (see the Boxfile documentation for details):
version: 2.0 shared_folders: - private
Configure the protected asset path on the File System page (Administer > Configuration > Media: File system) as “
../private”. Here, the “Backup & Migrate” module will automatically create a subdirectory named
backup_migrate for its backups.
When you view your assets directory via SSH/SFTP, you’ll find your backups below