Support » Plugin: UpdraftPlus WordPress Backup Plugin » Possible security issue

  • Resolved Brad Markle


    Hello UpdraftPlus,

    I may have found a Possible security issue, and I wanted to pass it on to your dev team. I’m having a hard time finding out how to get this information to you. Is there a web page or email address best used for these types of questions / concerns?

    – Brad

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support kbatdorf


    Hi Brad (@bwmarkle),

    Are you on WordPress Slack? Do you want to send me a message there and I can pass it on directly to the developers. Thanks!

    Plugin Author David Anderson


    Hi Brad,

    This was passed to me. I understand that you are concerned that the WordPress database will store your FTP password if you enter your FTP password in the settings.

    This is inevitable if you want to carry out unattended backups. Any plugin that accesses any remote server (whether backups, or something else, via FTP or something else), necessarily needs a security token that gains them access. (With FTP, the ‘token’ is the password). And if you’re expecting that access to taken place unattended, then necessarily the token gets stored in the WP database.

    If someone tells you that they have a encryption scheme that means that something can be stored inside WordPress such that a plugin can decrypt it, but that a human being can’t, then that person is selling snake oil. If a human being compromises your WP install then he can just run any code that is part of a plugin. The only means of storage capable of unattended retrieval are the filesystem or database. In all WP break-ins for practical purposes, the attacker has access to both.

    If your threat model is off-site backups that a third-party has access to, then a) if the third-party already has access to the storage location, then it’ll be redundant for him to download the database and read the credentials out of it, since he apparently already had access and/or b) someone can use the database encryption feature in UpdraftPlus Premium.

    Best wishes,

    Plugin Author David Anderson


    Or to be slightly more succinct…

    – If your threat model is that the attacker has access to the live database, then it’s game over. He can just add new admin users and de-activate all your security plugins, at-will.

    – But if he can’t access the live database, then apparently he accessed the database via the FTP backup instead…. so apparently he already knew your FTP password (or equivalent), and thus subsequently reading that out of the database would be redundant.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Possible security issue’ is closed to new replies.