WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#31535 closed task (blessed) (wontfix)

Shiny Updates: Store FTP Credentials

Reported by: pento Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: shiny-updates
Focuses: ui, javascript, administration Cc:

Description

Branched from #29820.

With the addition of the FTP credentials screen, it'd be nice if we gave the user an option to store their credentials in their wp-config.php file.

Change History (7)

#1 @ocean90
4 years ago

We have already this constants: FTP_HOST, FTP_PASS, FTP_PRIKEY, FTP_PUBKEY, FTP_USER, FTP_SSL, and FTP_SSH. Do we need more?

This ticket was mentioned in Slack in #core by ocean90. View the logs.


4 years ago

#3 @pento
4 years ago

To follow up on Slack discussion, the idea of this ticket is to add an option to the FTP dialog in #31528 to write the FTP credentials to wp-config.php, using the constants we already support.

There's still some discussion to be had over whether storing FTP details in plaintext is a security issue or not.

#6 @jorbin
4 years ago

This part of the UX seems like something we should look at more in a future release with the MVP for 4.2 here being based around plugins.

#7 @dd32
4 years ago

For the record, my opinion here is that we shouldn't store the password in wp-config.php or database. My primary concern is that many systems that require FTP are running with PHP as a shared user. Combine that with wp-config.php having world-readable permissions by default and it's a fast way to compromise all installs on the server.

I believe hosts will continue to make life easier for their customers by not requiring ftp in the first place..

#8 @swissspidy
3 years ago

  • Keywords close added

With the introduction of Shiny Updates V2, the credentials are now stored in the JavaScript, so the user doesn't have to enter them that often anymore (only once per screen when updating multiple plugins).

I wouldn't add these credentials to wp-config.php either.

#9 @ocean90
3 years ago

  • Keywords close removed
  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I agree with the above.

Note: See TracTickets for help on using tickets.