UpdraftPlus WordPress Backup Plugin
Security issue (4 posts)

  1. surefyre2
    Posted 3 years ago #

    Comment withdrawn by poster

  2. David Anderson
    Plugin Author

    Posted 3 years ago #


    Thank you for withdrawing this inaccurate report. That is appreciated.

    Many thanks,

    [ Signature moderated. ]

  3. surefyre2
    Posted 3 years ago #

    Fair comment, David, I have withdrawn the post as far as seems able in this system.

    Perhaps you'd care to clarify for users before they purchase any premium multisite upgrade as to whether or not the account details they used for a financial transaction for Updraft (as opposed to a likely non-financially-related WordPress account) are indeed transmitted in HTTP cleartext rather than encrypted HTTPS after having paid for and installed the Premium version when they go to verify their Updraft Account in the dashboard.

    Rather than me doing it and getting it wrong again, that is.

  4. David Anderson
    Plugin Author

    Posted 3 years ago #


    Regarding financial transactions, we collect payments only via PayPal. PayPal never pass on any financial details to vendors. We only get a notification from PayPal that payment has cleared, and then the money appears in our PayPal balance.

    When you install the "UpdraftPlus Add-Ons Manager" plugin that allows you to claim your add-on purchases, it asks you for your updraftplus.com password (not your WordPress password, and not your PayPal password, but the one you created at updraftplus.com for managing purchases). That then gets sent, to updraftplus.com in order to retrieve a list of your add-on entitlements. It's true that that's done without encryption - we did not prioritise encryption, because getting a list of add-on entitlements is the *only* thing that you can do with the password. If someone else knows your updraftplus.com password, then all they can do is read a list of your purchases; they can't make any new purchases.

    If you are still concerned about someone with "man-in-the-middle" access to your network connection getting your updraftplus.com password, then after installing "UpdraftPlus Add-Ons" and claiming your purchases and running the WordPress updater (to update your version of UpdraftPlus to the one that includes the add-ons), you can then de-install "UpdraftPlus Add-Ons" and it won't communicate with updraftplus.com at all.


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • UpdraftPlus WordPress Backup Plugin
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.