Security Aspects

mySQL passwords

Since Nucleus needs to connect to a mySQL database from a PHP-script, the password for that database must be stored inside a PHP-file. On multi-user systems, this might cause an unevitable security risk: On some systems, other users will be able to read your login information. You might want to contact your system operator to find out how secure it is to store sensible information inside PHP-scripts.

The problem above is common to all PHP scripts that need to connect to a database. As a user, there's usually nothing you can do about it in order to make things 100% secure. We just want you to be aware of this potential danger.


Nucleus uses cookies to store user login information. This could cause a security risk when your cookies are stolen. Although your password is not derivable from the cookie (the values stored in the cookie are the username and a randomly generated string), there could be ways to 'fake' the cookie on another computer and thus to get logged in.

Media dir

When you want to enable file upload, you'll need to set the permissions of the media dir to 777, which means that everyone on that server will be able to delete/add/... files. The reason why this is needed, is that PHP mostly runs as the httpd user, and that user needs to be able to access this dir and write to it. Here also, there's no way around this.

Nucleus CMS Manual