Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
WP Toolkit admin PWs encrypted?
- Thread starter DerDanilo
- Start date
-
- Tags
- wordpress toolkit
U
UFHH01
Guest
Hi Danilo Schwabe,
there is no password storage for wordpress instances in the psa - database. Wordpress instances use their own database and YES, these passwords are encrypted.
there is no password storage for wordpress instances in the psa - database. Wordpress instances use their own database and YES, these passwords are encrypted.
DerDanilo
Basic Pleskian
Thanks for that info. Ik that WP has it's own DB and that those PWs are encrypted.
My question is rather about the following when saving the PWs in the WP Toolkit:
U
UFHH01
Guest
Hi Danilo Schwabe,
What you see is just a login screen to your Wordpress instance... consider to compair it with the one from Wordpress itself, over the URL => ...your-domain.com/wp-admin/ .
I understood you very well in the first place and still the answer remains the very same.
What you see is just a login screen to your Wordpress instance... consider to compair it with the one from Wordpress itself, over the URL => ...your-domain.com/wp-admin/ .
U
UFHH01
Guest
Hi Danilo Schwabe,
pls. remember, that this forum is an ENGLISH - only language forum, so pls. consider to translate your recent post, so that all forum users are able to understand what you write.
pls. remember, that this forum is an ENGLISH - only language forum, so pls. consider to translate your recent post, so that all forum users are able to understand what you write.
DerDanilo
Basic Pleskian
U
UFHH01
Guest
Hi Danilo Schwabe,
I don't know the exact code here, but my answer, that your wordpress password is not stored in the psa - database has to be correct, because I can't find any storage in the psa - database for it.
Well the password IS already stored in your wordpress - related database, which you are going to access, when you connect the wordpress toolkit with the wordpress instance.
I don't know the exact code here, but my answer, that your wordpress password is not stored in the psa - database has to be correct, because I can't find any storage in the psa - database for it.
DerDanilo
Basic Pleskian
Hi Danilo Schwabe,
Well the password IS already stored in your wordpress - related database, which you are going to access, when you connect the wordpress toolkit with the wordpress instance.
I don't know the exact code here, but my answer, that your wordpress password is not stored in the psa - database has to be correct, because I can't find any storage in the psa - database for it.
I know about the WP DB and that the PW is stored encrypted there, reset it manually in the past several times.
Thanks Uwe! Much appreciated, but client contracts require us to clarify. Didn't write that stuff, some guy who gets a lot of money for it did. :-/
@Plesk Team:
Can you clarify that for us?
I can confirm this statement.
WP users passwords are stored in wordpress_XXX database in table XXXX_users as crypted content of user_pass field. For example:
select * from BQE5cB2_users\G
*************************** 1. row ***************************
ID: 1
user_login: jlennon
user_pass: $P$BNk13dPKncXqutEAgDCDutXflwV8wA.
user_nicename: John Lennon
DerDanilo
Basic Pleskian
I'm sorry to bring this up again but if the password is not stored in the psa DB please explain to me, how it is possible for Plesk to show the Wordpress admin password in cleartext in Plesk? It surely does not decrypt (how would it do so) the password stored in the WP DB.
-----------------
As well I'd expect to be logged in directly when clicking on "Log in to Admin Dashboard" with the password that one just saved to the WP toolkit (It says so in the description as well).
What else is it good for to have the password stored here?
U
UFHH01
Guest
Hi Danilo Schwabe,
Could you pls. explain, WHY it is relevant for you to know, "HOW Plesk is able to decrypt the stored ( encrypted ) password in the corresponding Wordpress DB" ?
Could you pls. explain the ( possible ) issues/errors/problems, when trying to use the link from your Plesk Wordpress Toolkit?
DerDanilo
Basic Pleskian
Hi @UFHH01
I'll try my best to explain.
I don't want to know (in case it does) how Plesk decrypts the password (I am no dev), but want to understand the logic (how it works in aspect of security and storing user information) of the WP toolkit before putting many WP pages into the WP toolkit, away from other 3rd party tools.
Following the confirmation that Plesk does not store any pws in the PSA DB:
The issue that I have had was that the login didn't work because of the url issue (http/https), this is solved now since the url are corrected and the admin pw for a demo page was saved in the wp toolkit.
I'll try my best to explain.
I don't want to know (in case it does) how Plesk decrypts the password (I am no dev), but want to understand the logic (how it works in aspect of security and storing user information) of the WP toolkit before putting many WP pages into the WP toolkit, away from other 3rd party tools.
Following the confirmation that Plesk does not store any pws in the PSA DB:
- WP toolkit asks for the admin users password (or the user that one selects)
- If it would be able to decrypt the pw it wouldn't need to ask for the password - Plesk has to store the password the user then enters somewhere
- Since Plesk is by logic (to point one) not able to decrypt passwords from the WP db: Where is this password stored?
- The password the user enters does surely not overwrite the current admin password, as one did not tell the WP toolkit to change the password.
- Does it? - Is it a good idea to show WP admin pws in cleartext or even to make this possible?
- Depending on where and how these PWs are stored this can produce a securtiy issue.
- Admins pws should only be stored in encrypted form, either an ecrypted db or external tools like Keepass.
The issue that I have had was that the login didn't work because of the url issue (http/https), this is solved now since the url are corrected and the admin pw for a demo page was saved in the wp toolkit.
U
UFHH01
Guest
Hi Danilo Schwabe,
Sorry... wrong conclusion. The Plesk Wordpress Toolkit just makes sure, that you use the correct credentials as stored in your existent Wordpress - Database - see it as a sort of "confirmation", pls. - If the credentials are wrong, you will not be logged in. Changing the password will certainly work, due to the fact that the Wordpress Toolkit is able to use the global "admin" MySQL - user, who has access to all databases on your database - server.
We are turning in circles here. You already have the valid answer, that Plesk doesn't store Wordpress - passwords in it's own database.
Correct - only if you previously entered the correct admin - username and password, the option "true" is set for further options ( i.e.: changing the password ).
It IS secure and ( again as already answered! ), the password is not stored in the Plesk database. You might want to present and discuss all the other possibilities, but this does not change the fact that Plesk does not store the passwords of Wordpress users in its own database.
