WordPress.org

Forums

[resolved] Security Issue? (7 posts)

  1. Pena47
    Member
    Posted 4 years ago #

    So, I can't imagine this has gone completely unnoticed, but I found it very odd.

    I set up WordPress (I uploaded it via ftp) and configured the wp-config.php file with the MySQL database info. Now it seems that when you go to the website, ANYONE can set up the initial username and password.

    Of course I always go to the site immediately and set up my own username and password, after which you get the login screen, but shouldn't there be a more secure way?

    [Moved to Requests & Feedback]

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    Such as?

  3. Pena47
    Member
    Posted 4 years ago #

    Such as requiring a password in the wp-config file to be used as the default password to log into WordPress. That way only the person with access to the wp-config file can set the password.

  4. esmi
    Forum Moderator
    Posted 4 years ago #

    Such as requiring a password in the wp-config file

    Eeek! Such a password would be exposed to anyone who hacks into the server.

  5. ClaytonJames
    Member
    Posted 4 years ago #

    I set up WordPress (I uploaded it via ftp) and configured the wp-config.php file with the MySQL database info. Now it seems that when you go to the website, ANYONE can set up the initial username and password.

    That would be correct. You have just performed steps 3, 4, and 5 of the Famous 5-Minute Install routine. At this point, a reasonable assumption has to be made that your intent is to complete the installation. The only time it might become an issue is if you do exactly that which you have described, and then fail to complete the install process. But it makes no sense for that to be the case.

  6. It's a security issue, yes, but there's no reasonable way around it. Yes, it's possible there are legit reasons you could get most of the way through and stop (local power outage, etc), but this is a risk you run with all web apps during installs.

  7. Pena47
    Member
    Posted 4 years ago #

    Eeek! Such a password would be exposed to anyone who hacks into the server.

    If someone hack into the server you've probably got bigger issues...

    That would be correct. You have just performed steps 3, 4, and 5 of the Famous 5-Minute Install routine. At this point, a reasonable assumption has to be made that your intent is to complete the installation. The only time it might become an issue is if you do exactly that which you have described, and then fail to complete the install process. But it makes no sense for that to be the case.

    Fair enough, it wasn't ever really an issue for me, I just wasn't sure if this had been acknowledged (although I had a hard time imagining nobody noticing).

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.