Hi there,

I am really enjoying using this CMS, but I was wondering if there were any plans to remove the admin username and password from a plain text config file and maybe either encrypt them in the config or store them in the database?

Hi Selezen,

The admin passwords are stored with BCrypt, encoded with password_hash in gk_user_items table. If you take a look at that table, the password column is hashed.

Were you're referring to the database username & password and/or email password? If so, then yes, it's quite common, even in other language that seem to have encrypted database/email username/password in the configuration file (for instance - C#/ASP.NET), the encrypted section of the database username/password in web.config can be easily reversed.

I hope this alleviates your concern We take security seriously