Hi
After connecting to UpdraftPlus for installing premium extensions the UpdraftPlus username and password are stored in plain text in the WP database (updraftplus-addons_options). So other persons having admin access to a WP site may read my UpdraftPlus username and password from a db backup. From my understanding of security username and password, or at least the password should be saved in a hashed form.
Thanks
This idea was posted in UpdraftPlus - backup/restore plugin and tagged password on August 14, 2017 by 
Christian.
I noticed this too, very bad practice! I hope it will be corrected asap.
Hi Jurgen,
This doesn’t happen on our testing setups. As described to Christian, the password is removed after it has been exchanged for a token. Are you examining at an intermediate stage, prior to being used? If not, please open a support request, and give a sequential list of steps to reproduce the problem, and then we will investigate this.
David
Hi Christian,
After being used successfully to claim an add-on, the password is removed and replaced with a token, and not stored permanently. If that’s not the case on your site, that should be investigated. This behaviour was changed somewhere around 2 years ago, so the alternative is that you have a very old UD version.
David
Hi David
Thanks for your reply. Well, then it’s my fault. I installed a package I donwloaded April 6th 2016 (updraftplus-with-migrator.2.12.2.zip), entered e-mail address and password and did the updates. I think I scanned the database before doing the update. Thank you for already fixing the problem before I came up with it ;-)