Geeklog Forums

Spammers attacked and got into two sites of mine. The host is stating that it is because of the plain text passwords in the config file(s).

I know of no other way to put the SQL password into GL. Maybe someone can shed some light on how to not have the password plain text and GL still work?

would be much appreciated.

Well, the password has to be stored somewhere. Where else would you suggest to store it (and how)?

The config.php file should not be accessible other than through direct or ftp access to your webserver. And if someone gains that sort of access, you have much bigger problems to deal with than that ...

bye, Dirk

spidermann you should request a more detailed infomation of your host WHY he thinks this is dangerous. I think this is nonsense. Almost all the blogs or portals store the passwords like that. There must be a misunderstanding.

Anyway where is your config on the server? Below public_html?

The config is before public_html where it should be. no config file is ever put in public_html but they seem to think that it was the reason the spammers got in.

They refuse to think that it was their servers, or a fault of their servers, for the attack. Even after I pointed out to them that GL had not been running on one of the sites in over nine months, and nothing was configured for GL on that site as I had deleted it all.

Yeah, they are sucking at the moment.

Dirk - I wasn't suggesting a different spot or anything. I know that the password is safe as it is. I was just asking to see if there was something I didn't know so that I could make sure it was the host being idiotic and not me.

As you describe it It is definitely the host. All the other scripts like Mambo, Joomla, Drupal, Loudblog, Wordpress etc. do it the same way and they even put it below public_html