BuckoA51 Posted October 24, 2014 Posted October 24, 2014 (edited) Hi, so here's some background. I run 3 Wordpress sites as part of my own little web empire. The sites use themes I've purchased from various places that included support. Anyway to cut a long story a little shorter, one of my sites themes started acting weird after the latest Wordpress upgrade. I contacted the themes author and asked for support. This is when things get bad. He's demanding that I hand over my admin login to my Wordpress site. Initially he said I should post it on their forum, but make the post "private". I said "No, that's terrible practise, can you use PGP?" At first he said yes but then e-mailed back with "sorry, what is this? i dont know how to use it". So now I'm stuck, this guy wants me to e-mail the keys to my kingdom via unencrypted e-mail. he's saying I'm unreasonable and no other clients have ever asked for this kind of security. Frankly, I think he's the one being unreasonable in not being more professional with HIS security. I suggested a compromise where I sent him a backup of my site instead but he refused, claiming it was no good as he wants to check for hosting issues. What would you guys do? I know I could just e-mail the details then change passwords once he was finished, meaning things would only be at risk for a day or so but the whole thing irks me no end, this is terrible practise and I shouldn't be the one criticised for wanting to do things properly. Edited October 24, 2014 by BuckoA51 Quote
newbi3 Posted October 24, 2014 Posted October 24, 2014 Well your other option is to create a temp account for him and send him the creds for it and then delete it once hes done using it Quote
cooper Posted October 24, 2014 Posted October 24, 2014 Bottom line is that the guy is full of shit. If he's going to provide support for a theme, as per your contract, he should have access to a representative environment to test it on, on his own dime. In other words, you're dealing with an utter amateur. So, the first thing on your agenda would be to start looking for another guy. In the mean time, what you can do is install your current WordPress version on a clean VirtualBox image. Put your site up on it with his theme on it. Use dumb passwords here - admin/admin comes to mind. Give him the download link to the disk image files and those passwords and tell him that if he makes the theme work there, you and him are golden. He'll bitch and moan about looking for "hosting issues" and what not again. Remind him that that's your department - he's the themes guy and that theme's got issues. If he can deliver a theme that installs cleanly on that without the recently observed issues, you'll see to it that things work alright on the actual system. I mean, he didn't have admin access previously, did he? Quote
BuckoA51 Posted October 25, 2014 Author Posted October 25, 2014 No, he didn't have admin access previously, I installed the theme myself after purchasing it. I offered to send a full backup of the site using the Wordpress duplicator plugin, that can then install on a local XAMPP server for testing. I explained that I had the exact same issue when running my Wordpress site within XAMPP as I do when it is running live. He still refused to help me "Lol you are only person i've meet in my career with such security norms". Frustrating to the extreme! I have one more idea that's to use Lastpass. I don't really like Lastpass as a password manager as I don't want my passwords in the cloud, even encrypted, but it should do for this situation as per - https://foliovision.com/sharing-sensitive-information I'll let you know. Quote
cooper Posted October 25, 2014 Posted October 25, 2014 I fear you're making a mistake here. Bottom line is, you shouldn't want him on your system, period. What you should do is to give him a choice: 1. Fix the issue using that duplicated image. 2. Fix the issue using direct access, but quite literally *ANYTHING* *AND* *EVERYTHING* not hardware-related that causes the server to not behave as expected will become his responsibility. He's going to have to sign a legal document to that effect which includes a clear stipulation on the amount of money he's going to have to pay you for each day the issue remains unfixed. And you're not going to pay a dime for this 'extra service' since you didn't want it in the first place. As for his reply, I would've answered that with a simple "Likewise". Quote
cooper Posted October 25, 2014 Posted October 25, 2014 Oh, one more thing. Make a backup of the system before letting him on, export the theme, restore the system to its original state, apply the theme. He's got you with your back against the wall and knows it. To say I wouldn't trust him further than I can drool is an overstatement. Quote
BuckoA51 Posted October 26, 2014 Author Posted October 26, 2014 Oh I'll be making a full backup for sure. Frankly if he doesn't agree to the Lastpass suggestion I'll just tell him to get lost and either try to fix the problem myself (be good coding experience) or just get a new theme. Quote
cooper Posted October 26, 2014 Posted October 26, 2014 With lastpass you're still letting him onto your system. Why? Would you let everybody who works at Durex fuck your girlfriend because they make the rubber you intend to use? Quote
BuckoA51 Posted October 26, 2014 Author Posted October 26, 2014 It's a compromise, I can unfuck a website with a backup, I couldn't unfuck a woman. :) Quote
fugu Posted October 27, 2014 Posted October 27, 2014 I wonder if you could diff -u -r the backup vs. what he messed around with to see what he changed. Quote
i8igmac Posted October 27, 2014 Posted October 27, 2014 Take the proper precautions and take notes of all changes he makes... if these changes could cause security holes or a backdoor is installed... would be exciting if you caught him in the act... I'm no security pro... I would list all files recursively Modification dates could be logged and compared... Or list all files and grep threw each day he has access... ls -alR /var/www/root | grep $date Quote
cooper Posted October 27, 2014 Posted October 27, 2014 MD5SUM over the files should suffice. The guy seems more a punk than a knowledgeable foe. Quote
fugu Posted October 31, 2014 Posted October 31, 2014 find / -type f -exec md5sum '{}' \; 2> /dev/null > /path/to/md5sums_dump.txt Quote
cooper Posted October 31, 2014 Posted October 31, 2014 With bash, you can omit the quotes around the curly brackets (curly braces? Don't know the correct word). Quote
BuckoA51 Posted November 3, 2014 Author Posted November 3, 2014 Well guess what he didn't even bother to e-mail back when I asked him to use Lastpass. Frankly, I hope this kind of thing isn't the norm for Wordpress companies (I had to call out the last firm I used for custom Wordpress work for sloppy security too, but they changed policy based on my recommendations almost immediately). I think it's time to name and shame.. Never EVER buy or advise a client to buy a theme from Skywarrior themes http://themeforest.net/user/Skywarrior Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.