The installer for Duplicator supports these three security modes. Secure-file name, basic password and archive encryption (pro only).
Password Security
The installer can provide basic password protection, with the password being set at package creation time. This setting is optional and can be turned on/off via the package creation screens. For forgotten passwords users can log in to the site where the package was created and check the package details for the original password. For detail on how to override this setting visit the online FAQ for more details.
Secure-File Security
When you attempt an "Overwrite Install" using the "installer.php" filename on a public server (non-localhost) and have not set a password, the installer will prompt for the filename of the associated archive.zip/daf file. This is to prevent an outside entity from executing the installer. To complete the install, simply copy the filename of the archive and paste (or type) it into the archive filename box. Using a secure-file installer name (Settings > Packages), renames the installer to something unique, setting a password or installing from localhost will cause the archive filename to no longer be required.
Archive Encryption Pro
The archive encryption is the most secure and recommended encryption method. This option is set during the package creation process and encrypts the archive.zip/daf file. The archive file cannot be opened without a password which can be done from either the installer file or from a client side program like 7-Zip, WinZip, iZip etc.
Note: Even though the installer has a password protection feature, it should only be used for the short term while the installer is being used. All installer files should and must be removed after the install is completed. Files should not to be left on the server for any long duration of time to prevent any security related issues. It is absolutely required and recommended to remove all installer files after installation is completed by logging into the WordPress admin and following the Duplicator prompts.
| Option | Details |
|---|---|
| Password |
In the upper right corner of the installer is an icon that indicates if the installer is password protected (locked) or
no password (unlocked).
Locked "Locked" means a password is protecting each step of the installer. This option is recommended on all installers that are accessible via a public URL. The option is not required but strongly recommended, unless using secure-file name or archive encryption. Unlocked "Unlocked" indicates the installer is not password protected. While it is not required to have a password set it is recommended. If your URL has little to no traffic or has never been the target of an attack then running the installer quickly and then removing the installer files without a password could be performed but is not recommended, unless using secure-file name or archive encryption. |
|
Secure-File Archive File Name |
When Duplicator creates a site archive it generates three separate files. The archive.zip/daf, installer.php, and a log
of the build process. All three files are built with a secure-file name and stored to a storage location either on the server or in
the cloud. Examples of the files will look something like the following:
A secure-file name has the following descriptors [name]_[hash]_[time] built into the file name.
All files are initially created this way and should not be changed with the exception of the installer.php. The installer can be renamed or setup to be downloaded as just 'installer.php'. It is strongly recommended to use the secure-file format on the installer to provide a higher level of security. The secure-file format helps prevent unauthorized users on public servers. Archive and log file names should never be changed or modified.
|
Password Security
The installer can provide basic password protection, with the password being set at package creation time. This setting is optional and can be turned on/off via the package creation screens. For forgotten passwords users can log in to the site where the package was created and check the package details for the original password. For detail on how to override this setting visit the online FAQ for more details.
Secure-File Security
When you attempt an "Overwrite Install" using the "installer.php" filename on a public server (non-localhost) and have not set a password, the installer will prompt for the filename of the associated archive.zip/daf file. This is to prevent an outside entity from executing the installer. To complete the install, simply copy the filename of the archive and paste (or type) it into the archive filename box. Using a secure-file installer name (Settings > Packages), renames the installer to something unique, setting a password or installing from localhost will cause the archive filename to no longer be required.
Archive Encryption Pro
The archive encryption is the most secure and recommended encryption method. This option is set during the package creation process and encrypts the archive.zip/daf file. The archive file cannot be opened without a password which can be done from either the installer file or from a client side program like 7-Zip, WinZip, iZip etc.
Note: Even though the installer has a password protection feature, it should only be used for the short term while the installer is being used. All installer files should and must be removed after the install is completed. Files should not to be left on the server for any long duration of time to prevent any security related issues. It is absolutely required and recommended to remove all installer files after installation is completed by logging into the WordPress admin and following the Duplicator prompts.