If I configure and save an FTP/SFTP account, the credentials can be seen easily from the storage provider setting. If I give someone admin access for any development purpose they can see those data easily. If I use the same server on multiple websites for backup, someone with access to one site can get the credentials and access to another website’s backup files. This might be the same on Amazon and DigitalOcean accounts. I haven’t tried.
So my suggestion is, do not show the FTP server username and password in the setting. Instead, add a button to edit the information (with empty input fields) if someone wants to reconfigure. Even previous username and password should not display when editing.
- The topic ‘security issue on remote storage credentials’ is closed to new replies.