Support » Requests and Feedback » Beware – Blogger Password Stored in Plaintext

  • I just transfered over a test blog from to WordPress 2.0.

    That went smoothly. I then ran a backup using the backup plugin.

    I downlaoded the backup to my computer and was pawing through it in a text editor and low and behold, there is my Blogger login info with my password in plain text!!!

    Not good. Bad, WP, Bad. Sit. Stay. Grrr…

Viewing 5 replies - 1 through 5 (of 5 total)
  • Mark (podz)


    Support Maven

    Where exactly did you see this ?

    And to reassure everyone:
    – your blog password is ONLY stored inside the database.
    – your database password is ONLY stored in your wp-config.php file which CANNOT be read in a browser
    Mine has been there for 2 years. Go read it.

    If WP was that insecure, don’t you think that this might have been mentioned before ?

    Mark (podz)


    Support Maven

    Oh, and inside the database, the password is further MD5 encoded. That makes it pretty much impossible to decipher.

    I found password in the database backup I had made using the Backup command in Manage in admin. As I stated I did the transfer from which is when it asks for my password and userID. I then ran the backup plugin, downloaded the backup file to my computer, looked inside and found my password. It is in plaintext. it is NOT MD5 or otherwise encoded. Do it yourself if you want the exact location. I’m not passing a copy of my database around. Who knows what else is in there.

    Oh, and don’t just dismiss this as “If WP was that insecure, don’t you think that this might have been mentioned before” when someone mentions a security concern. Not only is that rude but you apparently haven’t even checked the issue yet. Fact is WP2 is new and apparently it is storing the login info. It should not be doing so. That is a potential security flaw.

    And “potential security flaws” should not be reported on this forum.

    Please report this here: security-at-wordpress-dot-org (replacing the obvious, of course)

    Thank you. I have now done so. It is not obvious where to report this. I appreciate the pointer.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Beware – Blogger Password Stored in Plaintext’ is closed to new replies.