How can I remove AWS credentials from HTML source?

  • Resolved stevied

    (@stevied)


    11 months, 1 week ago

    I noticed that the Amazon aws credentials are stored in the clear and visible simply by looking at the HTML source code. Is there a way to secure these outside the db and put them in wp-config.php or somewhere else that is not so easily accessible?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @stevied

    Thank you for reaching out and I am happy to help!
    Can you please share if you are seeing this while logged in and can you please let me know the website URl?

    Thanks!

    Thread Starter stevied

    (@stevied)

    You must be logged in as an admin. However, if an admin account is compromised, the attacker will now have access to the CDN’s bucket credentials.

    The credentials appear on wp-admin/admin.php?page=w3tc_cdn

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @stevied

    Thank you for your feedback.
    Since those credentials are added there manually, yes, they may be showing in the source.

    However, this is the only opion to use the CDN with the credentials added, since the plugin is pulling the information from the configuration and not the wp-config.

    Let me check this more and I’ll get back to you with more info.

    Thanks!

    Thread Starter stevied

    (@stevied)

    Thanks. Yes, I’d prefer to not add the credentials through the interface. This makes them accessible to any admin. Even if the admins can be trusted, if their account is compromised, the credentials are then accessible to a hacker.

    It would be great if there was an option to add these credentials through the wp-config file instead. Thanks for looking into this.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How can I remove AWS credentials from HTML source?’ is closed to new replies.