Beware – Blogger Password Stored in Plaintext

Where exactly did you see this ?

And to reassure everyone:
– your blog password is ONLY stored inside the database.
– your database password is ONLY stored in your wp-config.php file which CANNOT be read in a browser

https://www.tamba2.org.uk/T2/wp-config.php
Mine has been there for 2 years. Go read it.

If WP was that insecure, don’t you think that this might have been mentioned before ?

Oh, and inside the database, the password is further MD5 encoded. That makes it pretty much impossible to decipher.

I found Blogger.com password in the database backup I had made using the Backup command in Manage in admin. As I stated I did the transfer from Blogger.com which is when it asks for my Blogger.com password and userID. I then ran the backup plugin, downloaded the backup file to my computer, looked inside and found my password. It is in plaintext. it is NOT MD5 or otherwise encoded. Do it yourself if you want the exact location. I’m not passing a copy of my database around. Who knows what else is in there.

Oh, and don’t just dismiss this as “If WP was that insecure, don’t you think that this might have been mentioned before” when someone mentions a security concern. Not only is that rude but you apparently haven’t even checked the issue yet. Fact is WP2 is new and apparently it is storing the Blogger.com login info. It should not be doing so. That is a potential security flaw.

And “potential security flaws” should not be reported on this forum.

Please report this here: security-at-wordpress-dot-org (replacing the obvious, of course)

Thank you. I have now done so. It is not obvious where to report this. I appreciate the pointer.