vBSEO Password

Is anyone else bothered that this is stored in plaintext in the config_vbseo.php file? I would feel much better if it was at the very least hashed.

I can't really see any reason for it not being more secure aside from, well, less than morally correct usage reports.

Anyway, I'm not implying anything here... just a little bothered by this.

What about your mySQL password stored as plaintext in vBulletin's config.php?

Someone hacking into your vBSEO control panel and changing URLs around is nowhere near as destructive as hacking into your mySQL database IMO.

True, but config.php is required.

It could be devastating because wouldn't they have access to throw in some of their own rewrite URLs in (pointing to another site, perhaps)?

Anyway, is there a reason for not doing so?

It's not a concern me personally, but I can't make the call for Crawlabilty. Management will have to give their official opinion.

Thanks.

It's not so much the security concern... just the idea that if something can be more secure, well it should be. The only drawback would be being unable to edit the file directly.

True. You could clear the password though, and then go to the interface to set a new one.

Ok, this refinement has been implemented and will be distributed in the next vBSEO build. The vbseo cp password is now hashed in the text config file.

Thank-you for the suggestion

Awesome!