Using FTP or SFTP is the best way. You can download via browser (follow the instructions in the message you pasted to enable it, see the System Configuration option in Akeeba Backup), but it's not guaranteed to work on all servers and for big files as the server may truncate the backup archive.
Let me explain why this is different to any other plugin and the risks you were not aware of.
Most plugins simply create a subdirectory inside your site's wp-content directory and leave it unprotected. Anyone who knows the name of the backup archive can download it. This is, of course, a huge security liability. Once someone has a backup of your site, they have your site. They have the content of your site, the email addresses of all of your users and their passwords (in hashed format, which can be cracked given some determination, half a dozen video cards, and a few days per password on average).
To prevent that, they usually just tuck a bunch of random characters at the end of the filename, making it hard to guess. However, hard to guess means neither impossible to guess, nor impossible to steal. Most plugins I have seen use a very weak PRNG (pseudo-random number generator) to create the "random" characters at the end of the filename. If you take backups at around the same time every day it becomes easy to guess these "random" characters. Moreover, if one of your plugins has a SQL injection vulnerability -- a strain of security vulnerability which is sadly all too common in the WordPress world -- the predictable naming of their database tables can divulge the full name of each backup archive. Even simpler, most web servers will spit out the filenames of backup archives if you put its URL in the browser.
In other words, their security is at about the same level as the TSA security theater: only there to make you feel safe, not to actually make you safe.
We follow a different approach.
While we do create a subdirectory inside wp-content, we by default protect the directory against direct web access in multiple ways. We put a .htaccess (used by Apache and LiteSpeed) and web.config (used by Microsoft IIS) file to block all direct web access to its contents. We put an index.html file to prevent your web server's automatic directory listing from spitting out the names of the files in there if someone were to access it. We warn you to change that folder to avoid using a well-known default place. We even use a CSPRNG (cryptographically secure pseudorandom number generator) to generate truly random characters at the end of the backup archive's name for even better security.
The downside of protecting the subdirectory against web access is that we cannot give you a URL you put in your browser and have it directly download the backup archive through the browser. The workaround to that is to "proxy" the download through PHP itself. The downside of that is that if the download takes a lot of time the web server software disconnects from PHP before it has spat out all the entirety of the contents of the file. Moreover, some servers are misconfigured to emit PHP debug messages in the output, breaking the backup archive. This is why we recommend using FTP or SFTP.
My recommendation as a web professional who has been building sites since the stone ages (mid-1998) and web software since 2001, doing web site security since 2004, and setting up Linux servers since 2001 is to always use SFTP to deal with files stored on your server. It's the fastest, most reliable, and most secure method. Anything else will get you in trouble, in ways you can't imagine.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
