Security Issue?

  • Resolved Pena47

    (@pena47)


    14 years, 10 months ago

    So, I can’t imagine this has gone completely unnoticed, but I found it very odd.

    I set up WordPress (I uploaded it via ftp) and configured the wp-config.php file with the MySQL database info. Now it seems that when you go to the website, ANYONE can set up the initial username and password.

    Of course I always go to the site immediately and set up my own username and password, after which you get the login screen, but shouldn’t there be a more secure way?

    [Moved to Requests & Feedback]

Viewing 6 replies - 1 through 6 (of 6 total)
  • esmi

    (@esmi)

    14 years, 10 months ago

    Such as?

    Thread Starter Pena47

    (@pena47)

    14 years, 10 months ago

    Such as requiring a password in the wp-config file to be used as the default password to log into WordPress. That way only the person with access to the wp-config file can set the password.

    esmi

    (@esmi)

    14 years, 10 months ago

    Such as requiring a password in the wp-config file

    Eeek! Such a password would be exposed to anyone who hacks into the server.

    Clayton James

    (@claytonjames)

    14 years, 10 months ago

    I set up WordPress (I uploaded it via ftp) and configured the wp-config.php file with the MySQL database info. Now it seems that when you go to the website, ANYONE can set up the initial username and password.

    That would be correct. You have just performed steps 3, 4, and 5 of the Famous 5-Minute Install routine. At this point, a reasonable assumption has to be made that your intent is to complete the installation. The only time it might become an issue is if you do exactly that which you have described, and then fail to complete the install process. But it makes no sense for that to be the case.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    14 years, 10 months ago

    It’s a security issue, yes, but there’s no reasonable way around it. Yes, it’s possible there are legit reasons you could get most of the way through and stop (local power outage, etc), but this is a risk you run with all web apps during installs.

    Thread Starter Pena47

    (@pena47)

    14 years, 10 months ago

    Eeek! Such a password would be exposed to anyone who hacks into the server.

    If someone hack into the server you’ve probably got bigger issues…

    That would be correct. You have just performed steps 3, 4, and 5 of the Famous 5-Minute Install routine. At this point, a reasonable assumption has to be made that your intent is to complete the installation. The only time it might become an issue is if you do exactly that which you have described, and then fail to complete the install process. But it makes no sense for that to be the case.

    Fair enough, it wasn’t ever really an issue for me, I just wasn’t sure if this had been acknowledged (although I had a hard time imagining nobody noticing).

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Security Issue?’ is closed to new replies.