Join 3,514 readers in helping fund MetaFilter (Hide)


You want to see my what?
May 31, 2012 9:41 AM   Subscribe

I have contacted the designer of my WordPress theme for support and they are asking for log-in info. This seems like a "stop right there" kinda thing. Am I being to cautious?

I have a question about a theme that I'm working with. They advertise providing support so I contacted the developer of the theme as they instruct on themeforest.net.

They initially asked for my "site and log-in info", to which I responded "I prefer not to for security reasons".

Their second response was:

"I really do not know how to begin to troubleshoot without taking a look at the file structure and doing some tests.

Lets try by starting with the wordpress logins.

can you provide those to me?"

So if their initial request was for FTP/Site Admin log-in, I'm certainly not going to provide that.

The question I have is not a deep one, and I would like to try to troubleshoot it without getting into revealing access info. I'm also an independent contractor, so it's my client's security at stake here.

This just seems out of line to me. Am I being too cautious?

Thanks,
chuck
posted by humboldt32 to Computers & Internet (14 answers total) 1 user marked this as a favorite
 
No, you are not being too cautious. They can provide you with steps to take ("Do these things, and email me the output") or looking at the site itself. Under no circumstances should you give your login information to someone like this.

Now, it is probably harmless and they just want to troubleshoot something quickly (they would know where to look for certain things). But you can provide them with what they need without compromising your security.
posted by Philosopher Dirtbike at 9:45 AM on May 31, 2012 [1 favorite]


I don't think you are being too cautious.

I would recommend offering to have a join.me session and allowing them to control your screen as needed under your supervision.
posted by effigy at 9:47 AM on May 31, 2012 [1 favorite]


Alternative is to take the site and back it up. You can take sensitive info out of the DB and send them the DB and file structure.
posted by pyro979 at 9:52 AM on May 31, 2012


You're not being too cautious, but at the same time recognize that you might also not be able to get support out of these people easily. Some tech folk don't do the "abstracted" problem solving very well and need to see the actual problem.

As an alternative, could you instead make a copy of the site available to them in a zip file that they can examine on their end(removing any sensitive data first of course)?
posted by barc0001 at 9:53 AM on May 31, 2012 [2 favorites]


I've seen this in premium theme/plugin threads before. Probably safe, but you're right to be cautious. Without knowing what your issue is, it's hard to say if they need the access or not. I'd go with effigy's suggestion of screen sharing.
posted by backwards guitar at 10:02 AM on May 31, 2012


Another alternative is to change your credentials temporarily so you're not giving them the password you'd normally use. My wife is a semi-professional blogger and has designers accessing her site often; she gives them throwaway credentials and has never had a problem.
posted by denriguez at 10:05 AM on May 31, 2012 [2 favorites]


Thanks everyone. This is just as I thought. I realize this would make it easier for the designer and most likely harmless, but I believe that not providing opportunity is the first line of defense.

I've not looked into join.me before. Is it "safe" to use?
posted by humboldt32 at 10:07 AM on May 31, 2012


Yes I also considered a throw away credential. I didn't know if that might provide opportunity for abuse that might not be readily apparent.
posted by humboldt32 at 10:09 AM on May 31, 2012


I'm a contract web developer. It’s good that you’re cautious, but at the same time there’s nothing surprising about them asking for logins.

The problem is that from their perspective, there are a huge number of things that can go wrong. If they have a bunch of clients, and most of them are not programmers, and perhaps not even particularly technically literate, then it’s going to be really difficult for them to solve problems without access to the file structure and database.

I say you should look at this in terms of what can go wrong:

They could install malware on your site

You’ve already installed their code on your site, so this isn’t really a big risk.

They could steal your sensitive data

They already have access to most of your data because they have code running on your server. It would be pretty easy to build a WordPress theme that includes a backdoor with full server access.

Of course, if you have very tempting sensitive data on your site (e.g. credit card numbers), that might be another issue. You should remove that data.

They could leak or sell access to your site

So, change the passwords when they’re done.

BTW, and I see this a lot: If you use the same password for your site as for other things, DON’T DO THAT. Seriously, don’t. Get 1Password or something like it.

They could break your site

Yeah, that’s a possibility.

Anyway, my point is that it’s probably safe. Sorry for my verbosity!
posted by danielparks at 10:09 AM on May 31, 2012 [3 favorites]


Being cautious is awesome.

But let's use a car analogy. You're having some issues so you go to your mechanic and explain the issue. Your mechanic says he's busy but would be glad to take a look, just leave your car and key and he'll check this afternoon and give you a call.

But wait! Now that your mechanic has your key, he can take your car! He has access to everything in it! There's no stopping him.

Being wary of auto theft, you decline and say "hey, no problem, but I don't trust you with access to my car, so just give me a call later like you said and I'll do what you tell me over the phone".

Sorry, as an IT person who also does web application development on the side, I cannot fix what I cannot see. I refuse to work around someone who won't let me tinker directly. I'd be glad to screenshare, I'd encourage you to change all passwords after I was done and monitor everything I did.

But I would not work around someone who would not let me access the problem myself.

I wish more people in life understood that if you do not know much about something that is broke and cannot/do not wish to learn enough to fix it, that you must completely trust those who you expect to fix it for you with whatever is broke. Your car, your computer, your website, your suit that ripped on the sleeve because it got caught on a sharp piece of metal, etc.

You've already installed their code without knowing what it does (if you did know, you'd be able to figure out exactly what the problem is) so you already trust them enough to give them access to your site, database and server.

You could clone the site, munging all data and let them have at it. But if you do that, ZIP it up and send it over and they find no problems, that means the problem is with your live, production site and they'll have to see your live production site to start looking for the issue (file permissions, php issues, caching issues, etc.).
posted by Brian Puccio at 10:56 AM on May 31, 2012 [6 favorites]


You say you have a question about a theme. There's probably certain questions that should be answerable without seeing your stuff specifically. Beyond that, they'll have to look. What motivation do they have to mess your stuff up? Why would you install the product if it's not trustworthy?

I run a support desk. We have passwords for many of our customers, but if we don't we stream in so they can type the passwords in. Or they give us access with a password that they'll change when we're done. Those are all options. Psychically divining your issue with no access to the system is not.

Most popular WP themes are self-updating, which means they are connecting back home and loading code provided by the creator (and crappy themes get exploited by hackers all the time, it's my biggest issue with WP). What could they do to you with a password that they couldn't do without it, and again, why would they? You contacted them.
posted by Lyn Never at 11:14 AM on May 31, 2012


But wait! Now that your mechanic has your key, he can take your car! He has access to everything in it! There's no stopping him.

This is a poor analogy, especially for the situation at hand, where there is potentially sensitive client information involved. It has been implied above that there's no reason to be careful, since you've already used their code. This is ridiculous; it is essentially saying that because there is a small chance you've exposed your clients' data by using their theme, it is ok to guarantee that you've exposed it by giving up login credentials! Wha?
posted by Philosopher Dirtbike at 2:24 PM on May 31, 2012 [1 favorite]


Car keys to a mechanic is an incredibly apt analogy. It's the first one I thought of. But given you appear to have sensitive information locked into this site, you are between a rock and a hard place, you need help, but cannot allow help to enter the site and help.

If you are truly concerned, what you need to do is generate a legally binding NDA between yourself and this theme developer that gives you and your client peace of mind with regards to what they do and see inside the backend.

When I've been in this situation with clients 1 of 2 things happens, and perhaps one of these will help.

1. Client creates a parallel site with the same plugins + theme, and a minimal set of data - they grant me access to THAT site and I make my theme+plugin changes, and then they are responsible for pushing to the "production" site. This is in line with a process that goes development → staging → production. You only have production right now, and that's probably to your detriment at the moment.

2. Client creates a login for me that is temporary, and clearly so. I enter the site at a predetermined time and am emailing or IMing as I do my analysis and testing - I still have complete access, but in the car analogy, they are watching me as I inspect the car - a web dev chaperone.

Perhaps one of these approaches will give you a possible idea for how to approach this.
posted by artlung at 11:54 PM on May 31, 2012


Thanks everyone for your comments and advice. I ended up creating a throw-away WP log-in. The developer went in and quickly identified the problem.

Not my prefered approach, and it could have easily been answered without access with just a question or two, but there you go.

Cheers,
chuck
posted by humboldt32 at 10:23 AM on June 1, 2012


« Older What are the dangers of being ...   |  I read this book of creepy sho... Newer »
This thread is closed to new comments.