WordPress.org

Support

Support » Plugins and Hacks » [Plugin: XCloner – Backup and Restore] Is User Name Hard-Coded?

[Plugin: XCloner – Backup and Restore] Is User Name Hard-Coded?

  • WordWeaver777
    Member

    @wordweaver777

    Hello again Ovidiu. I am curious. Is the XCloner user name hard-coded so that it cannot be changed?

    The reason why I ask this is because I have tried multiple times to change both the default user name and password since I first installed your plug-in.

    While I can change the password to whatever I want, this is clearly not the case with the user name. Any time I attempt to change the user name, I am unable to log in to the plug-in.

    In short, I am forced to use your default user name, along with a password of my choosing.

    If the user name is indeed hard-coded, I consider this poor security, because having that forced, default user name removes one obstacle from would-be hackers, who otherwise would also have to figure out what user name a WP admin is using.

    Please clarify.

    Thanks!

    http://wordpress.org/extend/plugins/xcloner-backup-and-restore/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author xcloner
    Member

    @xcloner

    Hey there! The username is not being hardcoded, otherwise the editing field would not have a point. You can easily verify this by opening the wp-content/plugins/xcloner-backup-and-restore/cloner.config.php file and look at the ‘jcuser‘ parameter to see it’s value, the password is being generated using the md5() algorithm and that can be checked also!

    If you think it’s a bug I might have missed, would be happy to fix it! Ovidiu

    WordWeaver777
    Member

    @wordweaver777

    Hello Ovidiu. Actually, I was already quite certain that the user name was not being hard-coded, even before I wrote the previous message, because when this problem first began to occur some time ago, I did in fact check the cloner.config.php file, and I could see that my user name was in fact being stored properly there. However, I just wanted for you to verify that this is so.

    So the question then is why am I having this problem?

    More specifically, here is what is happening:

    After installing XCloner for the first time, as you know, it informs the user that the password must be changed.

    So, I changed the user name and password and saved the changes, and then I proceeded to do a manual backup. This was before I figured out how to perform automatic backups using OSX’s cron tab along with the Cronnix app.

    The problem is that each time that I tried to log into XCloner in the following days in order to perform another manual backup, it would inform me that the user name and password were wrong, which I knew that they weren’t wrong. In fact, as I said, I would physically open the cloner.config.php file in order to verify that the user name was correct.

    The only way that I could get around this problem was by keeping a virgin copy of the cloner.config.php file handy. Each day, before using XCloner, I would simply replace the cloner.config.php file with a virgin copy of the file. Then, I would log in with the default user name and password, change the user name and password, and then conduct the manual backup.

    Eventually, I discovered that if I just use my own password, but leave the user name at its default value, I could log in without having to replace the cloner.config.php file first.

    So that is why I asked you if the user name was hard-coded, even though I really didn’t think that it was.

    Now that everything is automated via a cron tab, it is not a problem for me, but I assume that the problem still exists if I try to log in.

    So the main question is: Why isn’t XCloner recognizing my user name, even though it is clearly being stored in the cloner.config.php file?

    That, my friend, is the question.

    WordWeaver777
    Member

    @wordweaver777

    Hello Ovidiu. Good news…I just figured out what the problem is.

    Apparently, the user name is case sensitive.

    What was happening was this:

    After typing in my user name in lowercase letters, either Firefox — or maybe WP or your plug-in — would automatically convert it to the capitalization that is already stored in memory somewhere, I suppose. In other words, it must be a part of the auto-complete function.

    So, because it was being converted into the capitalization that I normally use, it was not being accepted by XCloner, since that user name is stored as all lowercase letters.

    Once this possibility occurred to me a few minutes ago, I edited the cloner.config.php file so that the user name uses the same capitalization that Firefox, WP or your plug-in keeps forcing me to use.

    I can now log in using my own user name and password.

    Two solutions:

    1. make the user name case insensitive

    2. add a string to the login window informing the user that the user name is case sensitive.

    Hope that helps.

    Plugin Author xcloner
    Member

    @xcloner

    I am pretty sure that option works correctly as we usually change the default user and pass also.

    If you like to debug the code, you can simply open the file wp-content/plugins/xcloner-backup-and-restore/admin.cloner.php and look at the line 52, that’s where the authentication takes place, you can easily check there if the proper variables are being parsed from the cloner config or the login form.

    Ovidiu

    Plugin Author xcloner
    Member

    @xcloner

    Ahh, that would explain it, yes, the login is case sensitive, i will make a note of that and add a notification text

    Thanks for pointing this out! Ovidiu

    WordWeaver777
    Member

    @wordweaver777

    My pleasure! 🙂

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Plugin: XCloner – Backup and Restore] Is User Name Hard-Coded?’ is closed to new replies.