Support » Requests and Feedback » Beware – Blogger Password Stored in Plaintext

Beware – Blogger Password Stored in Plaintext

  • I just transfered over a test blog from Blogger.com to WordPress 2.0.

    That went smoothly. I then ran a backup using the backup plugin.

    I downlaoded the backup to my computer and was pawing through it in a text editor and low and behold, there is my Blogger login info with my password in plain text!!!

    Not good. Bad, WP, Bad. Sit. Stay. Grrr…

Viewing 5 replies - 1 through 5 (of 5 total)
  • Where exactly did you see this ?

    And to reassure everyone:
    – your blog password is ONLY stored inside the database.
    – your database password is ONLY stored in your wp-config.php file which CANNOT be read in a browser

    Mine has been there for 2 years. Go read it.

    If WP was that insecure, don’t you think that this might have been mentioned before ?

    Oh, and inside the database, the password is further MD5 encoded. That makes it pretty much impossible to decipher.

    I found Blogger.com password in the database backup I had made using the Backup command in Manage in admin. As I stated I did the transfer from Blogger.com which is when it asks for my Blogger.com password and userID. I then ran the backup plugin, downloaded the backup file to my computer, looked inside and found my password. It is in plaintext. it is NOT MD5 or otherwise encoded. Do it yourself if you want the exact location. I’m not passing a copy of my database around. Who knows what else is in there.

    Oh, and don’t just dismiss this as “If WP was that insecure, don’t you think that this might have been mentioned before” when someone mentions a security concern. Not only is that rude but you apparently haven’t even checked the issue yet. Fact is WP2 is new and apparently it is storing the Blogger.com login info. It should not be doing so. That is a potential security flaw.

    And “potential security flaws” should not be reported on this forum.

    Please report this here: security-at-wordpress-dot-org (replacing the obvious, of course)

    Thank you. I have now done so. It is not obvious where to report this. I appreciate the pointer.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Beware – Blogger Password Stored in Plaintext’ is closed to new replies.
Skip to toolbar