Security Question - Letting someone else install plugins

[mrdmorrison]

Hello,

I have recently opened a Zen Cart store and can instal some basic plugins, and make some basic modifications with template codes when I can clearly see the differences on what need to be added.

The problem is I have two plugins that I cant install correctly because they mess up my template. So im considering paying someone with more expertise to install these.

My question is:

Is this safe? I know I shouldnt give out my mysql /Admin/ Cpanel passwords, but in this case I may need to... How can I limit my risk. What are the threats? Anything i need to me cautious of?

Or am I just over reacting on this?

[schoolboy]

Hello,

I have recently opened a Zen Cart store and can instal some basic plugins, and make some basic modifications with template codes when I can clearly see the differences on what need to be added.

The problem is I have two plugins that I cant install correctly because they mess up my template. So im considering paying someone with more expertise to install these.

My question is:

Is this safe? I know I shouldnt give out my mysql /Admin/ Cpanel passwords, but in this case I may need to... How can I limit my risk. What are the threats? Anything i need to me cautious of?

Or am I just over reacting on this?

Of course there is always a risk if you hand passwords to strangers - only you can determine the extent of that risk however.

You should try your best to establish the credentials of the person you appoint. Get evidence of a permanent address, a telephone number and if they claim to operate as (or within) a company, see if that company is registered.

What mods are you trying to install, and why is your template not "allowing" this?

Have you asked for help on the forum with these issues?

[Limitless]

If you are super paranoid, Set up a copy of your shop and give them access to that, then copy over the modified files to implement in your 'real' shop.

I've had good luck with few freelancers from the various freelance sites, once I trust them, I tend to rehire them...

[mrdmorrison]

If you are super paranoid, Set up a copy of your shop and give them access to that, then copy over the modified files to implement in your 'real' shop.

I've had good luck with few freelancers from the various freelance sites, once I trust them, I tend to rehire them...

That is a perfect solution.... thanks

[RodG]

I know I shouldnt give out my mysql /Admin/ Cpanel passwords, but in this case I may need to... How can I limit my risk. What are the threats? Anything i need to me cautious of?

Or am I just over reacting on this?

I'm one of people that believe most people are basically honest and that providing login details to a developer is generally pretty safe. Nonetherless, I'll always change the password(s) after giving such access (and as a developer I'll always insist the client changes their passwords after I've completed what I was hired to do).

If you are using ZenCart V1.5 you should create a new admin account for any developers you hire (so you don't need to give them *your* password), and I'd also suggest that you use your cPanel to create a special FTP user account for your developer(s) so that you don't need to give them the cPanel or master FTP passwords.

In other words, with the current zencart you have no need to give any developer any of your personal logon/password details. Just provide them with their own admin and FTP accounts (not the cPanel account) and that's all you need to provide. Both accounts can then be easily deleted or deactivated after the job is complete.

Cheers
Rod

[mrdmorrison]

I'm one of people that believe most people are basically honest and that providing login details to a developer is generally pretty safe. Nonetherless, I'll always change the password(s) after giving such access (and as a developer I'll always insist the client changes their passwords after I've completed what I was hired to do).

If you are using ZenCart V1.5 you should create a new admin account for any developers you hire (so you don't need to give them *your* password), and I'd also suggest that you use your cPanel to create a special FTP user account for your developer(s) so that you don't need to give them the cPanel or master FTP passwords.

In other words, with the current zencart you have no need to give any developer any of your personal logon/password details. Just provide them with their own admin and FTP accounts (not the cPanel account) and that's all you need to provide. Both accounts can then be easily deleted or deactivated after the job is complete.

Cheers
Rod

Thats a good idea and sounds much simpler than creating a clone site and merging them over. As my site is empty at the moment I dont see a big security threat.

Im curious tho. is there an additional security threat:

(1) is he/she changes any of the file permissions at a later date?

(2) isnt my database password stored in one of the config files also. is this a threat? Should I go to the effort of changing this also?

[RodG]

Im curious tho. is there an additional security threat:

(1) is he/she changes any of the file permissions at a later date?

Any reduction in file permissions will always increase the risk of threats.

(2) isnt my database password stored in one of the config files also.

Yes.

is this a threat?

Only if the wrong people/person has access to it.

Should I go to the effort of changing this also?

Do you go to the effort of locking your windows as well as your doors when you go out? (Sometimes I do, sometimes I don't. Only I am in the position to determine the risk in any given situation).

Cheers
Rod