WordPress.org

Ready to get started?Download WordPress

Forums

Duplicator
[feature request] Secure database.sql, installer-data.sql during deploy (2 posts)

  1. Jakub Klapka
    Member
    Posted 7 months ago #

    Hello,
    at first, I want to thank you for awesome plugin, I use it very often for pulling/pusing sites between local dev and production site.
    I have little advice for new feature, which would help me a lot. If you are pushing site to production server, you have to be quite sure about security during whole process. I like, how you prefixing .php and .zip files with secret hash. If host don't print out directory structure, you are quite safe, if somebody visits the site during install.

    But what concerns me, that during the install process, installer create database.sql and installer-data.sql files, which are quite easy to guess, and those contain the most sensitive data, the site has.

    I kinda have those secured by .htaccess files. In all my .htacces I put rule, to disallow access to .sql, .psd etc. files. Which works well just to the point, where Duplicator create it's own clean .htaccess file.

    I can think of several solutions:
    1. Prefix database files same way as you do with .php and .zip.

    2. Before the install, you could create custom .htaccess with rules to disallow access to those sensitive files, and delete them after install.

    3. Don't overwrite user's .htaccess file, so we can secure that on our own. There was a discussion about this overwriting, and I get all your points, why you don't want leave user's .htaccess there. But it would be nice, to have this option, maybe in installer, for advanced users, who know whats goin on.

    Thanks a lot for considering those points. I'm looking forward to next versions.

    http://wordpress.org/plugins/duplicator/

  2. Cory Lamle
    Member
    Plugin Author

    Posted 7 months ago #

    Hey Lapak,

    Thanks for the feedback! Hopefully in future versions we can have a true real-time mechanism. Because the window is so short for most of the installs and users are advised to remove all the files you mentioned directly after install it hasn't been a really high priority as your the first person to mention it... I'll definitely add it to the todo list. It may take a few versions but it is a good suggestion. I also hope to get the code out on GitHub by next year to get more developers contributing to the source.

    In the meantime you could probably just put an IP filter in your httpd.conf at that should do the trick until something is fixed in the codebase.

    Cheers~

Reply

You must log in to post.

About this Plugin

About this Topic