Support » Plugin: Database Sync » "Outline Security"

  • Hey,

    nice db sync plugin, works great so far, thanks for the work and publishing it.

    I was wondering if you could outline shortly how the plugin internally decodes the URL/auth. information into the token.

    For me the workflow is a little bit too easy 🙂 It sounds weird but I feel a little bit insecure using the plugin… But on the other hand it really works well, so can you provide some information about that?

    thanks in advance

    http://wordpress.org/plugins/database-sync/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author tamlyn

    (@tamlyn)

    When the plugin is activated it generates a 16 character random string (~104 bits of entropy) using mt_rand(). This key is stored in the options table as outlandish_sync_secret. The token is generated by concatenating this random string with the site URL and base 64 encoding the lot.

    When you copy and paste the token to another WordPress installation, it decodes it and stores the secret key and remote URL in its options table. When doing a pull or a push, the key is POSTed (in plain text) to the remote server and compared with the key stored there.

    The mechanism is essentially the same as most login forms on the internet, although the password is considerably harder to guess than anything a human could memorise!

    I hope this explains things and sorry for not responding sooner. I’ll add something along these lines to the FAQ.

    Thread Starter Paul Vincent Beigang

    (@bassgang)

    Thanks a lot for the in depth info.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘"Outline Security"’ is closed to new replies.