Note (July 2015): previous releases of UpdraftPlus showed plain text by default. Though starring adds nothing to security and isn’t best for usability (as explained below), so many people expect stars, that we decided it’d be better to acquiesce, and say goodbye to the repeated questions about it! Until then, this FAQ asked the question the other way round – we’ve left some of the explanation to do with password starring in browsers below, for general usefulness.
When you enter a password and it is starred, in fact this only prevents “shoulder-surfers” (people looking over your shoulder) from seeing the password. It provides no extra protection from other users who can sit at the keyboard, or access the same WordPress admin panel.
Three quick, different ways that people who have access to the settings page can access stored passwords are: 1) Press “View Source” in their web browser, and read it out of there. 2) Download a backup of the site’s database and read it out of there. 3) Install an extension in their web browser to un-star all passwords (e.g. this one).
Starring out the password only protects against people who are a) malicious enough to misuse your password, but b) too technically incompetent to do any of the above. It’s best to keep people like that well away from your admin panel!
A better solution (than starring out), if you have multiple admins on the WordPress site, is to set up a new set of access credentials for the backup storage for each website you are backing up (i.e. a unique FTP login/set of S3 credentials, etc.). For Amazon S3, read this article. You can also lock access to your admin page in UpdraftPlus Premium, as explained here.
If you want to display passwords directly, then do this:
- Using FTP (or equivalent) access to your web hosting space, create (if it does not already exist) a folder called mu-plugins in the content directory of your WordPress install (which is usually called wp-content – i.e. the new directory will be wp-content/mu-plugins).
- In that folder, create a new file called ud-star-passwords.php (or anything else ending in .php) with the following content:
<?php add_filter('updraftplus_admin_secret_field_type', 'updraftplus_admin_secret_field_type'); function updraftplus_admin_secret_field_type($type) { return 'text'; }
That’s it!
Posted in: Amazon S3, Configuration, FTP