WordPress.org

Forums

Database Sync
[resolved] "Outline Security" (3 posts)

  1. bassgang
    Member
    Posted 1 year ago #

    Hey,

    nice db sync plugin, works great so far, thanks for the work and publishing it.

    I was wondering if you could outline shortly how the plugin internally decodes the URL/auth. information into the token.

    For me the workflow is a little bit too easy :) It sounds weird but I feel a little bit insecure using the plugin… But on the other hand it really works well, so can you provide some information about that?

    thanks in advance

    http://wordpress.org/plugins/database-sync/

  2. tamlyn
    Member
    Plugin Author

    Posted 8 months ago #

    When the plugin is activated it generates a 16 character random string (~104 bits of entropy) using mt_rand(). This key is stored in the options table as outlandish_sync_secret. The token is generated by concatenating this random string with the site URL and base 64 encoding the lot.

    When you copy and paste the token to another WordPress installation, it decodes it and stores the secret key and remote URL in its options table. When doing a pull or a push, the key is POSTed (in plain text) to the remote server and compared with the key stored there.

    The mechanism is essentially the same as most login forms on the internet, although the password is considerably harder to guess than anything a human could memorise!

    I hope this explains things and sorry for not responding sooner. I'll add something along these lines to the FAQ.

  3. bassgang
    Member
    Posted 5 months ago #

    Thanks a lot for the in depth info.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Database Sync
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.