- This topic has 3 replies, 4 voices, and was last updated 6 years, 11 months ago by Bryle Crodua.
-
Posts
-
Hello,
We recently discovered that if you chrome-inspect the password field for SFTP that you can view the password through the development console. Although i guess you could call it handy if you forget the password this is a MAJOR security concern. We do backups for our clients to our SFTP destination and we do NOT want them to be able to see the password to our SFTP Server.
See link for screenshot, i have blanked out the password obviously. We have checked a few sites we do this for and all of them have this “ability”
Hi,
Anyone who access the UpdraftPlus admin page can take, and download, a database backup. So, keeping passwords in the WP database only, and not on the page, makes zero difference to the ability of people viewing the page to get the passwords. Worse – if they can reach the backup page, then they can upload their own backup, and entirely replace the complete site. So, if there’s someone whom you don’t trust, then don’t let them reach an admin page where they can take and restore backups. If you can’t prevent someone being an admin, but want them not to reach the page, then there is this: https://updraftplus.com/faqs/want-lock-updraftplus-settings-site-admins-access/
David
This reply has been marked as private.Hi David,
Are you referring to your UpdraftPlus.com password?
If so, please could you fill in the following form for security purposes: https://updraftplus.com/support/re-establish-identity/
Please include as much detail as possible, and any invoices or confirmation emails that you received upon purchase.
We can then re-establish your access to the account.
Kind Regards,
Bryle
- The topic ‘Able to inspect password field for password’ is closed to new replies.