The installer allows for two basic types of security: password and filename-based.
Password Security
The installer can provide basic password protection, with the password being set at package creation time. The password input on this screen must be entered before proceeding with an install. This setting is optional and can be turned on/off via the package creation screens.
Note: If you do not recall the password then login to the site where the package was created and click the details of the package to view the original password. To validate the password just typed you can toggle the view by clicking on the lock icon. For detail on how to override this setting visit the online FAQ for more details.
Filename Security
When you attempt an "Overwrite Install" using the "installer.php" filename on a public server (non localhost) and have not set a password, the installer will prompt for the filename of the associated archive.zip/daf file. This is to prevent an outside entity from executing the installer. To complete the install, simply copy the filename of the archive and paste (or type) it into the archive filename box.
Note: Using a hashed installer name (Settings ❯ Packages), renaming the installer to something unique (e.g. installer_932fe.php), setting a password or installing from localhost will cause the archive filename to no longer be required.
Note: Even though the installer has a password protection feature, it should only be used for the short term while the installer is being used. All installer files should and must be removed after the install is completed. Files should not to be left on the server for any long duration of time to prevent any security related issues.
Password Security
The installer can provide basic password protection, with the password being set at package creation time. The password input on this screen must be entered before proceeding with an install. This setting is optional and can be turned on/off via the package creation screens.
Note: If you do not recall the password then login to the site where the package was created and click the details of the package to view the original password. To validate the password just typed you can toggle the view by clicking on the lock icon. For detail on how to override this setting visit the online FAQ for more details.
Filename Security
When you attempt an "Overwrite Install" using the "installer.php" filename on a public server (non localhost) and have not set a password, the installer will prompt for the filename of the associated archive.zip/daf file. This is to prevent an outside entity from executing the installer. To complete the install, simply copy the filename of the archive and paste (or type) it into the archive filename box.
Note: Using a hashed installer name (Settings ❯ Packages), renaming the installer to something unique (e.g. installer_932fe.php), setting a password or installing from localhost will cause the archive filename to no longer be required.
Option | Details |
---|---|
Locked | "Locked" means a password is protecting each step of the installer. This option is recommended on all installers that are accessible via a public URL but not required. |
Unlocked |
"Unlocked" means that if your installer is on a public server that anyone can access it. This is a less secure way to run your installer. If you are running the
installer very quickly then removing all the installer files, then the chances of exposing it is going to be low depending on your sites access history.
While it is not required to have a password set it is recommended. If your URL has little to no traffic or has never been the target of an attack then running the installer without a password is going to be relatively safe if ran quickly. However, a password is always a good idea. Also, it is absolutely required and recommended to remove all installer files after installation is completed by logging into the WordPress admin and following the Duplicator prompts. |
Note: Even though the installer has a password protection feature, it should only be used for the short term while the installer is being used. All installer files should and must be removed after the install is completed. Files should not to be left on the server for any long duration of time to prevent any security related issues.