Jump to content

So I'm having a bit of a security nightmare right now, advice appreciated!


Recommended Posts

Posted (edited)

Hi, so here's some background. I run 3 Wordpress sites as part of my own little web empire. The sites use themes I've purchased from various places that included support. Anyway to cut a long story a little shorter, one of my sites themes started acting weird after the latest Wordpress upgrade. I contacted the themes author and asked for support. This is when things get bad. He's demanding that I hand over my admin login to my Wordpress site. Initially he said I should post it on their forum, but make the post "private". I said "No, that's terrible practise, can you use PGP?" At first he said yes but then e-mailed back with "sorry, what is this? i dont know how to use it".

So now I'm stuck, this guy wants me to e-mail the keys to my kingdom via unencrypted e-mail. he's saying I'm unreasonable and no other clients have ever asked for this kind of security. Frankly, I think he's the one being unreasonable in not being more professional with HIS security. I suggested a compromise where I sent him a backup of my site instead but he refused, claiming it was no good as he wants to check for hosting issues.

What would you guys do? I know I could just e-mail the details then change passwords once he was finished, meaning things would only be at risk for a day or so but the whole thing irks me no end, this is terrible practise and I shouldn't be the one criticised for wanting to do things properly.

Edited by BuckoA51
Posted

Well your other option is to create a temp account for him and send him the creds for it and then delete it once hes done using it

Posted

Bottom line is that the guy is full of shit. If he's going to provide support for a theme, as per your contract, he should have access to a representative environment to test it on, on his own dime. In other words, you're dealing with an utter amateur. So, the first thing on your agenda would be to start looking for another guy.

In the mean time, what you can do is install your current WordPress version on a clean VirtualBox image. Put your site up on it with his theme on it. Use dumb passwords here - admin/admin comes to mind. Give him the download link to the disk image files and those passwords and tell him that if he makes the theme work there, you and him are golden. He'll bitch and moan about looking for "hosting issues" and what not again. Remind him that that's your department - he's the themes guy and that theme's got issues. If he can deliver a theme that installs cleanly on that without the recently observed issues, you'll see to it that things work alright on the actual system.

I mean, he didn't have admin access previously, did he?

Posted

No, he didn't have admin access previously, I installed the theme myself after purchasing it.

I offered to send a full backup of the site using the Wordpress duplicator plugin, that can then install on a local XAMPP server for testing. I explained that I had the exact same issue when running my Wordpress site within XAMPP as I do when it is running live. He still refused to help me "Lol you are only person i've meet in my career with such security norms".

Frustrating to the extreme! I have one more idea that's to use Lastpass. I don't really like Lastpass as a password manager as I don't want my passwords in the cloud, even encrypted, but it should do for this situation as per - https://foliovision.com/sharing-sensitive-information

I'll let you know.

Posted

I fear you're making a mistake here.

Bottom line is, you shouldn't want him on your system, period.

What you should do is to give him a choice:

1. Fix the issue using that duplicated image.

2. Fix the issue using direct access, but quite literally *ANYTHING* *AND* *EVERYTHING* not hardware-related that causes the server to not behave as expected will become his responsibility. He's going to have to sign a legal document to that effect which includes a clear stipulation on the amount of money he's going to have to pay you for each day the issue remains unfixed. And you're not going to pay a dime for this 'extra service' since you didn't want it in the first place.

As for his reply, I would've answered that with a simple "Likewise".

Posted

Oh, one more thing. Make a backup of the system before letting him on, export the theme, restore the system to its original state, apply the theme.

He's got you with your back against the wall and knows it. To say I wouldn't trust him further than I can drool is an overstatement.

Posted

Oh I'll be making a full backup for sure. Frankly if he doesn't agree to the Lastpass suggestion I'll just tell him to get lost and either try to fix the problem myself (be good coding experience) or just get a new theme.

Posted

With lastpass you're still letting him onto your system. Why?

Would you let everybody who works at Durex fuck your girlfriend because they make the rubber you intend to use?

Posted

Take the proper precautions and take notes of all changes he makes... if these changes could cause security holes or a backdoor is installed...

would be exciting if you caught him in the act...

I'm no security pro... I would list all files recursively

Modification dates could be logged and compared...

Or list all files and grep threw each day he has access...

ls -alR /var/www/root | grep $date

Posted

MD5SUM over the files should suffice. The guy seems more a punk than a knowledgeable foe.

Posted

With bash, you can omit the quotes around the curly brackets (curly braces? Don't know the correct word).

Posted

Well guess what he didn't even bother to e-mail back when I asked him to use Lastpass.

Frankly, I hope this kind of thing isn't the norm for Wordpress companies (I had to call out the last firm I used for custom Wordpress work for sloppy security too, but they changed policy based on my recommendations almost immediately).

I think it's time to name and shame.. Never EVER buy or advise a client to buy a theme from Skywarrior themes http://themeforest.net/user/Skywarrior

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...