WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#33724 closed enhancement (wontfix)

Save FTP Details in Database

Reported by: atomicjack Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: Upgrade/Install Keywords:
Focuses: Cc:

Description

Currently, FTP details are automatically saved in wp-config, in what is essentially plain text.

This is both insecure and inefficient.

Insecure: plain text passwords. Need I say more?

Inefficient: If file permissions are correct, the user is always asked to re-enter the FTP details, as they cannot be written to wp-config.php

Solution? Hash the FTP password, save the details to the database.

It secures the password - and, there are no more file permission issues in regards to FTP issues.

Change History (1)

#1 @TobiasBg
5 years ago

  • Focuses administration removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for your suggestion! I don't think that this is going to work, however.

Hashed FTP passwords are rather useless, as WordPress needs the unhashed/plain-text ones in order to open an FTP connection to the server.

Storing the plain text passwords in the DB is no good idea either, for the security reasons that you mentioned. (For one, if someone can read wp-config.php, he'd have access to the DB credentials anyways. Secondly, this makes another attack vector for the FTP credentials attractive, like SQL injection.)

If a user is bothered with entering the FTP credentials every time, he can simply add them as constants to wp-config.php (but will have to live with the potentially reduced security).

Note: See TracTickets for help on using tickets.