Password stored in database and visible via developer tools

UpdraftPlus Home Forums Paid support forum – UpdraftPlus backup plugin Password stored in database and visible via developer tools

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • December 4, 2024 at 10:41 pm #2313812
    Brendan Coffey
    Participant

    I am trying to figure out how to make sure that my UpdraftPlus password is not visible to other Administrators of the websites that I manage, or stored in the database.

    Currently when I connect to Premium, I enter my username and password, and then on any future visits to this page by any administrator, my password is prefilled into that field and easily seen by inspecting the page with developer tools or viewing source.

    I read at the link below that my password is not stored on the website since 2015 and version 1.11.1 but it definitely is stored as a row in wp_options with a value of updraftplus-addons_options.

    Tell me about my UpdraftPlus.Com account (including data protection and privacy issues)

    You will need to type in your updraftplus.com username and password into your WordPress site when connecting to your updraftplus.com account, in order to claim your purchases. This then allows you to receive automatic updates to UpdraftPlus through the usual WordPress dashboard. If at any time you don’t wish to receive updates, or wish to not connect to your updraftplus.com account any more, then simply remove the username from your settings. It will not delete your already-downloaded add-ons. So removing it is quite safe.

    Note that after you have successfully connected and activated your add-ons, you can then remove your password (i.e. enter a blank password and press the ‘Connect’ button again). Your password will then not be stored on the WordPress site, but it will still be able to access updates. (This is done automatically since version 1.11.1, August 2015).

    So I’m trying to figure out why this is the case when password storage was removed 9 years ago.

    Additionally, the instructions at that link to remove the password and resubmit the form to stay connected for updates does not work, and that disconnects the website.

    December 4, 2024 at 10:42 pm #2313813
    Brendan Coffey
    Participant
    This reply has been marked as moderator-only.
    December 5, 2024 at 4:14 pm #2314408
    Vanessa
    Moderator

    The instructions that you are reading are outdated. Some users where exploiting a loophole and were getting free updates so we had to make a change.

    The password issue – I have replicated this. I will pass this onto our development team as this is not ideal.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.