• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

WP Toolkit admin PWs encrypted?

Hi Danilo Schwabe,

there is no password storage for wordpress instances in the psa - database. Wordpress instances use their own database and YES, these passwords are encrypted.
 
Hi Danilo Schwabe,

there is no password storage for wordpress instances in the psa - database. Wordpress instances use their own database and YES, these passwords are encrypted.

Thanks for that info. Ik that WP has it's own DB and that those PWs are encrypted.
My question is rather about the following when saving the PWs in the WP Toolkit:

upload_2017-4-19_10-32-15.png
 
Hi Danilo Schwabe,

My question is rather about the following when saving the PWs in the WP Toolkit:
I understood you very well in the first place and still the answer remains the very same. ;)

What you see is just a login screen to your Wordpress instance... consider to compair it with the one from Wordpress itself, over the URL => ...your-domain.com/wp-admin/ . :)
 
But the password is saved there or not?
I mean what is it good for to have admin access if one cannot access the admin interface directly through the WP toolkit. One wants to access the WP backend quickly without the need to lookup passwords.
 
Last edited:
Hi Danilo Schwabe,

pls. remember, that this forum is an ENGLISH - only language forum, so pls. consider to translate your recent post, so that all forum users are able to understand what you write.
 
Hi Danilo Schwabe,

I mean what is it good for to have admin access if one cannot access the admin interface directly through the WP toolkit.
Well the password IS already stored in your wordpress - related database, which you are going to access, when you connect the wordpress toolkit with the wordpress instance.
I don't know the exact code here, but my answer, that your wordpress password is not stored in the psa - database has to be correct, because I can't find any storage in the psa - database for it. ;)
 
Hi Danilo Schwabe,

Well the password IS already stored in your wordpress - related database, which you are going to access, when you connect the wordpress toolkit with the wordpress instance.
I don't know the exact code here, but my answer, that your wordpress password is not stored in the psa - database has to be correct, because I can't find any storage in the psa - database for it. ;)

I know about the WP DB and that the PW is stored encrypted there, reset it manually in the past several times.

Thanks Uwe! Much appreciated, but client contracts require us to clarify. Didn't write that stuff, some guy who gets a lot of money for it did. :-/

@Plesk Team:
Can you clarify that for us?
 
your wordpress password is not stored in the psa
I can confirm this statement.
WP users passwords are stored in wordpress_XXX database in table XXXX_users as crypted content of user_pass field. For example:

select * from BQE5cB2_users\G
*************************** 1. row ***************************
ID: 1
user_login: jlennon
user_pass: $P$BNk13dPKncXqutEAgDCDutXflwV8wA.
user_nicename: John Lennon
 
I can confirm this statement.
WP users passwords are stored in wordpress_XXX database in table XXXX_users as crypted content of user_pass field. For example:

select * from BQE5cB2_users\G
*************************** 1. row ***************************
ID: 1
user_login: jlennon
user_pass: $P$BNk13dPKncXqutEAgDCDutXflwV8wA.

user_nicename: John Lennon


I'm sorry to bring this up again but if the password is not stored in the psa DB please explain to me, how it is possible for Plesk to show the Wordpress admin password in cleartext in Plesk? It surely does not decrypt (how would it do so) the password stored in the WP DB.

upload_2017-4-25_13-22-35.png

-----------------

As well I'd expect to be logged in directly when clicking on "Log in to Admin Dashboard" with the password that one just saved to the WP toolkit (It says so in the description as well).
What else is it good for to have the password stored here?

upload_2017-4-25_13-24-45.png
 
Hi Danilo Schwabe,

how it is possible for Plesk to show the Wordpress admin password in cleartext in Plesk?
Could you pls. explain, WHY it is relevant for you to know, "HOW Plesk is able to decrypt the stored ( encrypted ) password in the corresponding Wordpress DB" ?

As well I'd expect to be logged in directly when clicking on "Log in to Admin Dashboard" with the password that one just saved to the WP toolkit (It says so in the description as well).
What else is it good for to have the password stored here?
Could you pls. explain the ( possible ) issues/errors/problems, when trying to use the link from your Plesk Wordpress Toolkit?
 
Hi @UFHH01

I'll try my best to explain.

Hi Danilo Schwabe,
Could you pls. explain, WHY it is relevant for you to know, "HOW Plesk is able to decrypt the stored ( encrypted ) password in the corresponding Wordpress DB" ?

I don't want to know (in case it does) how Plesk decrypts the password (I am no dev), but want to understand the logic (how it works in aspect of security and storing user information) of the WP toolkit before putting many WP pages into the WP toolkit, away from other 3rd party tools.

Following the confirmation that Plesk does not store any pws in the PSA DB:
  1. WP toolkit asks for the admin users password (or the user that one selects)
    - If it would be able to decrypt the pw it wouldn't need to ask for the password
  2. Plesk has to store the password the user then enters somewhere
    - Since Plesk is by logic (to point one) not able to decrypt passwords from the WP db: Where is this password stored?
  3. The password the user enters does surely not overwrite the current admin password, as one did not tell the WP toolkit to change the password.
    - Does it?
  4. Is it a good idea to show WP admin pws in cleartext or even to make this possible?
    - Depending on where and how these PWs are stored this can produce a securtiy issue.
    - Admins pws should only be stored in encrypted form, either an ecrypted db or external tools like Keepass.

Could you pls. explain the ( possible ) issues/errors/problems, when trying to use the link from your Plesk Wordpress Toolkit?

The issue that I have had was that the login didn't work because of the url issue (http/https), this is solved now since the url are corrected and the admin pw for a demo page was saved in the wp toolkit.
 
Hi Danilo Schwabe,

WP toolkit asks for the admin users password (or the user that one selects)
- If it would be able to decrypt the pw it wouldn't need to ask for the password
Sorry... wrong conclusion. The Plesk Wordpress Toolkit just makes sure, that you use the correct credentials as stored in your existent Wordpress - Database - see it as a sort of "confirmation", pls. - If the credentials are wrong, you will not be logged in. Changing the password will certainly work, due to the fact that the Wordpress Toolkit is able to use the global "admin" MySQL - user, who has access to all databases on your database - server.

Plesk has to store the password the user then enters somewhere
- Since Plesk is by logic (to point one) not able to decrypt passwords from the WP db: Where is this password stored?
We are turning in circles here. You already have the valid answer, that Plesk doesn't store Wordpress - passwords in it's own database. ;)

The password the user enters does surely not overwrite the current admin password, as one did not tell the WP toolkit to change the password.
- Does it?
Correct - only if you previously entered the correct admin - username and password, the option "true" is set for further options ( i.e.: changing the password ).

Is it a good idea to show WP admin pws in cleartext or even to make this possible?
- Depending on where and how these PWs are stored this can produce a securtiy issue.
- Admins pws should only be stored in encrypted form, either an ecrypted db or external tools like Keepass.
It IS secure and ( again as already answered! ), the password is not stored in the Plesk database. You might want to present and discuss all the other possibilities, but this does not change the fact that Plesk does not store the passwords of Wordpress users in its own database.
 
Back
Top