1
I use wordpress and other CMS's and all these have plain text passwords in their config files e.g. in wp-config.php
I wonder is this the normal way an administrator would protect security?
I realise its possible to move the wp-config outside of the root web directory, but still if the server itself is compromised, its possible to find the wp-config file and the password inside, then the system is comprimised.
Is there a way to encrypt all passwords on the system, so that in the web applications config files it uses the encrypted pass and not just plain text? Is there a sensible way of keeping plain-text passwords off the server?
PS i use linux vps ubuntu servers
Cheers Ke
2The only way somebody could read that (Short of a series of unlikely failures preventing the server from parsing the .php file and thus just serving it up as plaintext) is if they had your FTP details. If they have your ftp details, you have far bigger problems. – Phoshi – 2010-03-20T14:08:24.620
The normal way a wordpress admin or a more general admin would protect security? As a general rule, you encrypt passwords, but not all applications support that. – David Thornley – 2010-03-20T15:42:21.310