Conversation
supportHello, Thank you for this plugin which is very interesting. Given the Nextcloud app password is rather sensitive, would you consider improving its security in WP by checking these recommendations: https://stackoverflow.com/questions/25763414/whats-the-best-practice-a-secure-way-for-saving-and-processing-a-password-of-a/25773749#25773749 ? 1. Encrypting password could probably take place in the sanitize_options() function declared in luzid-backup-to-nextcloud.php . Here is a snippet that would help: https://permanenttourist.ch/2023/03/storing-credentials-securely-in-wordpress-plugin-settings/ 2. The idea would be not to decrypt password at plugin config page’s load (e.g. in render_admin_page() ). If a password is saved, it could show a placeholder with stars to show it exists. Users should be able to enter a new password and save it, however they might not really need to know which one they have submitted previously. However test_webdav_connection() behavior would probably requires to be tweaked in accordance. 3. Apart from admin page load, it seems fine to me as it is, password would be decrypted only to perform auth requests. Regards, cpoakl
After testing with a working webdav config, I see that point 2 is already partially addressed – loading admin page does not show the password inside the textbox. So in this topic remains the point about encryption/decryption.
Hi cpoakl, Thank you so much for taking the time to thoroughly test the plugin and for sharing such detailed and well-structured feedback. It’s rare to receive this level of engagement from a user, and I genuinely appreciate it — several of your suggestions have directly shaped the latest update. I’m happy to let you know that version 1.3.2 has been published to the WordPress repository. Here’s how your feedback was addressed: 1) PASSWORD ENCRYPTION (your feature request) Fully implemented. The Nextcloud app password is now encrypted at rest in the database using AES-256-CBC, with the encryption key derived from your site’s unique AUTH_KEY in wp-config.php. The password is only decrypted in memory when performing WebDAV requests — it is never stored or transmitted in plaintext. The plugin also includes automatic self-healing: if decryption ever fails (e.g. due to a changed AUTH_KEY after a site migration), the plugin clears the broken password and shows an admin notice prompting you to re-enter it. IMPORTANT: After updating to v1.3.2, you will need to re-enter your Nextcloud app password once and click “Save & Test”. This is a one-time step required because the storage format has changed. The plugin will display a yellow notice in the WordPress dashboard reminding you if this step is needed. 2) UPLOAD LIMIT / TIMEOUT WITH MANY FILES (your bug report) Fixed in v1.3.1 and carried forward into v1.3.2. The root cause was that PHP’s execution time limit was only extended once per source, not per file. With your 187 files at ~50 MB each, the process was killed after about 20 files. The upload loop has been completely rewritten: set_time_limit() is now called before each individual file upload Progress tracking is now per-file (e.g. “Uploading file 47/187”) instead of per-source Large files (>2 MB) use cURL streaming, which reads directly from disk without loading the entire file into PHP memory This should handle even very large backup sets reliably. 3) LANGUAGE PREFERENCE NOT SAVED (your bug report) Fixed. The language choice (DE/EN) is now persisted in the database and survives page reloads, redirects, and settings saves. The URL parameter still works for switching, but your preference is remembered. 4) DELETE SOURCE FILES AFTER UPLOAD (your feature request) I’ve decided not to implement this for now. The risk of data loss if an upload fails silently is too high — if the plugin deletes a local backup file and the remote copy turns out to be corrupted or incomplete, the backup is gone. More importantly, all supported backup plugins (UpdraftPlus, BackWPup, WPvivid, etc.) already have their own retention settings that let you control how many local backups to keep and when to delete them. I’d recommend using those built-in mechanisms for local cleanup, and letting Luzid Backup to Nextcloud handle only the offsite copy + remote rotation. 5) ADDITIONAL IMPROVEMENTS IN v1.3.2 A few more things that made it into this release based on testing: Password field now has a visibility toggle (eye icon) and browser autofill protection Context-aware action buttons: each tab shows only the relevant buttons The “Start Manual Upload” button is disabled until at least one backup source is enabled “Delete All Settings” now preserves default source paths and file extensions Updated German and English How-To documentation Thank you again for your valuable contributions. Users like you make the plugin better for everyone. If you run into any issues with the update or have further suggestions, please don’t hesitate to reach out. Best regards, Luzid Media
Thank you for implementing this!
After testing with a working webdav config, I see that point 2 is already partially addressed – loading admin page does not show the password inside the textbox. So in this topic remains the point about encryption/decryption.
Hi cpoakl, Thank you so much for taking the time to thoroughly test the plugin and for sharing such detailed and well-structured feedback. It’s rare to receive this level of engagement from a user, and I genuinely appreciate it — several of your suggestions have directly shaped the latest update. I’m happy to let you know that version 1.3.2 has been published to the WordPress repository. Here’s how your feedback was addressed: 1) PASSWORD ENCRYPTION (your feature request) Fully implemented. The Nextcloud app password is now encrypted at rest in the database using AES-256-CBC, with the encryption key derived from your site’s unique AUTH_KEY in wp-config.php. The password is only decrypted in memory when performing WebDAV requests — it is never stored or transmitted in plaintext. The plugin also includes automatic self-healing: if decryption ever fails (e.g. due to a changed AUTH_KEY after a site migration), the plugin clears the broken password and shows an admin notice prompting you to re-enter it. IMPORTANT: After updating to v1.3.2, you will need to re-enter your Nextcloud app password once and click “Save & Test”. This is a one-time step required because the storage format has changed. The plugin will display a yellow notice in the WordPress dashboard reminding you if this step is needed. 2) UPLOAD LIMIT / TIMEOUT WITH MANY FILES (your bug report) Fixed in v1.3.1 and carried forward into v1.3.2. The root cause was that PHP’s execution time limit was only extended once per source, not per file. With your 187 files at ~50 MB each, the process was killed after about 20 files. The upload loop has been completely rewritten: set_time_limit() is now called before each individual file upload Progress tracking is now per-file (e.g. “Uploading file 47/187”) instead of per-source Large files (>2 MB) use cURL streaming, which reads directly from disk without loading the entire file into PHP memory This should handle even very large backup sets reliably. 3) LANGUAGE PREFERENCE NOT SAVED (your bug report) Fixed. The language choice (DE/EN) is now persisted in the database and survives page reloads, redirects, and settings saves. The URL parameter still works for switching, but your preference is remembered. 4) DELETE SOURCE FILES AFTER UPLOAD (your feature request) I’ve decided not to implement this for now. The risk of data loss if an upload fails silently is too high — if the plugin deletes a local backup file and the remote copy turns out to be corrupted or incomplete, the backup is gone. More importantly, all supported backup plugins (UpdraftPlus, BackWPup, WPvivid, etc.) already have their own retention settings that let you control how many local backups to keep and when to delete them. I’d recommend using those built-in mechanisms for local cleanup, and letting Luzid Backup to Nextcloud handle only the offsite copy + remote rotation. 5) ADDITIONAL IMPROVEMENTS IN v1.3.2 A few more things that made it into this release based on testing: Password fi...
Thank you for implementing this!