At what point do developers get criticized/held responsible for using public repositories for private websites? I get it, people like github but when you can get a private repo on bitbucket for free there's no excuse for this.
Hmm. If you alter the search to "filename:wp-config.php FTP_PASS" you start getting some that look like ... legit. For those who don't know, WordPress has some level of access to hosting server via FTP, for upgrades and plugin installs.<p>Pertinent config globals are FTP_BASE, FTP_CONTENT_DIR, FTP_PLUGIN_DIR, FTP_PUBKEY, FTP_PRIKEY, and of course, FTP_USER, FTP_PASS, FTP_HOST.
Thought it was going to be template stuff for a min, clicked on the first one and saw "/<i></i> MySQL database password */
define('DB_PASSWORD', 'JasxkvpY72KKCdttdBqt');"
Another one I posted about sometime ago is filezilla config files. Found lots of FTP servers with their passwords in the filezilla config files committed on github. [0]<p>[0]: <a href="https://www.google.co.in/search?q=inurl%3Afilezilla+inurl%3Axml+site%3Agithub.com#q=inurl:filezilla+inurl:xml+site:github.com+-checker+%22%3CPass%3E%22" rel="nofollow">https://www.google.co.in/search?q=inurl%3Afilezilla+inurl%3A...</a>
"Passwords" in the title is a bit misleading. Most of these are staging files with little or no sensitive information there. However there is the odd bit of interesting data there if you look hard enough.<p>Github search is an untapped resource just like Algolia Search is on Hackernews. Infact I have largely replaced my Google searches with these ones for more refined and curated results.
Apart from putting your wp-config on github, it's also a terrible idea to use short passwords like 'p@ss12' for a database password that will be sent from one machine/program to another most of the time - such passwords should at the very least look like 'jm0Y/ZGjxYZay2yraskQ5AbZ8Qe0r0pRVDdnEkaIvHU', computers can remember strings that long and developers can copy-paste if it's stored in a file already.
A majority of these results aren't actually wp-config.php files. If you sort by date indexed, you'll see that the results include all manner of files.<p><pre><code> filename:"wp-config.php" "define('DB_NAME'," extension:php
</code></pre>
seems to give better results
Security experts, I have a question: if a database server just allow connections from a white list (trusted IP's), exposing database passwords on a GIT repository is still a problem?
UNLOQ.io increases the security of your digital properties through a distributed authentication system that doesn’t require your users to remember any passwords.
You do know that you can play the same game with other languages as well?<p><a href="https://github.com/search?utf8=%E2%9C%93&q=filename%3Asettings.py+mysql&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?utf8=%E2%9C%93&q=filename%3Asettin...</a><p>I feel like people don't accept the fact that people do stupid stuff in other languages.
I found this search more interesting than someone pushing their wp-config to a repo; also warning, some are nsfw <a href="https://github.com/search?p=100&q=filename%3Atits.jpg+&ref=searchresults&type=Code&utf8=%E2%9C%93" rel="nofollow">https://github.com/search?p=100&q=filename%3Atits.jpg+&ref=s...</a>
What is there to say ... developers , don't dump your projects on github public repositories ... use bitbucket and free private repos if you can't afford to pay FOR GOD SAKE !!! ...<p>!!! How many of them use the same credentials for their emails ? facebook ? twitter ? for their AWS account ? this is a nightmare.
That's why i am using <a href="https://Coding.net" rel="nofollow">https://Coding.net</a> (Chinese Only), a China Startup, provide free and unlimited private repositories hosting service with lots of feature like Code reviews,Custom domains,WebIDE... Go private, guys!