Plaintext database user and password in config.php


Hey guys, I’m absolutely new here and not yet very experienced with Nextcloud. I just installed Nextcloud 15.0.5 on the webspace of our external provider. What I recognized is, that user and password of the Nextcloud database is stored in plaintext in the config.php file.

Well, I’m not a IT security expert - but this seems to be strange to me…

Even if access to this file is restricted, I’m pretty sure, the admin of the provider will habe access to read this file.

I really used the search function in this board but did not get useful results for me. If this topic was discussed before, I’m sorry to open a new thread…

My questions:

  1. Is this a security issue?
  2. Is this a bad configuration issue from my side?
  3. What is your suggestion to deal with this point?

Thanks a lot!


This is how most webapps handles database connections. Wordpress for example does the same. The configuration has the username and password in plaintext.

This is not optimal from a security point. But it is pretty much the only way if keeping things simple enough.


Wow, thank you very much for this quick reponse! So… I guess Owncloud will handle this issue the same way?


Yes they do.

1 Like