Forums / General Questions / Security Question - Letting someone else install plugins

Security Question - Letting someone else install plugins

Results 1 to 7 of 7
03 Aug 2012, 16:01
#1
mrdmorrison avatar

mrdmorrison

New Zenner

Join Date:
Aug 2012
Posts:
4
Plugin Contributions:
0

Security Question - Letting someone else install plugins

Hello,

I have recently opened a Zen Cart store and can instal some basic plugins, and make some basic modifications with template codes when I can clearly see the differences on what need to be added.

The problem is I have two plugins that I cant install correctly because they mess up my template. So im considering paying someone with more expertise to install these.

My question is:

Is this safe? I know I shouldnt give out my mysql /Admin/ Cpanel passwords, but in this case I may need to... How can I limit my risk. What are the threats? Anything i need to me cautious of?

Or am I just over reacting on this?
03 Aug 2012, 16:30
#2
schoolboy avatar

schoolboy

Totally Zenned

Join Date:
Jun 2005
Posts:
10,324
Plugin Contributions:
0

Re: Security Question - Letting someone else install plugins

mrdmorrison:

Hello,

I have recently opened a Zen Cart store and can instal some basic plugins, and make some basic modifications with template codes when I can clearly see the differences on what need to be added.

The problem is I have two plugins that I cant install correctly because they mess up my template. So im considering paying someone with more expertise to install these.

My question is:

Is this safe? I know I shouldnt give out my mysql /Admin/ Cpanel passwords, but in this case I may need to... How can I limit my risk. What are the threats? Anything i need to me cautious of?

Or am I just over reacting on this?


Of course there is always a risk if you hand passwords to strangers - only you can determine the extent of that risk however.

You should try your best to establish the credentials of the person you appoint. Get evidence of a permanent address, a telephone number and if they claim to operate as (or within) a company, see if that company is registered.

What mods are you trying to install, and why is your template not "allowing" this?

Have you asked for help on the forum with these issues?
03 Aug 2012, 16:51
#3
limitless avatar

limitless

Inactive

Join Date:
Jan 2012
Posts:
496
Plugin Contributions:
0

Re: Security Question - Letting someone else install plugins

If you are super paranoid, Set up a copy of your shop and give them access to that, then copy over the modified files to implement in your 'real' shop.

I've had good luck with few freelancers from the various freelance sites, once I trust them, I tend to rehire them...
03 Aug 2012, 17:18
#4
mrdmorrison avatar

mrdmorrison

New Zenner

Join Date:
Aug 2012
Posts:
4
Plugin Contributions:
0

Re: Security Question - Letting someone else install plugins

Limitless:

If you are super paranoid, Set up a copy of your shop and give them access to that, then copy over the modified files to implement in your 'real' shop.

I've had good luck with few freelancers from the various freelance sites, once I trust them, I tend to rehire them...


That is a perfect solution.... thanks
04 Aug 2012, 09:14
#5
rodg avatar

rodg

Deceased

Join Date:
Jan 2007
Posts:
6,263
Plugin Contributions:
3

Re: Security Question - Letting someone else install plugins

mrdmorrison:


I know I shouldnt give out my mysql /Admin/ Cpanel passwords, but in this case I may need to... How can I limit my risk. What are the threats? Anything i need to me cautious of?

Or am I just over reacting on this?


I'm one of people that believe most people are basically honest and that providing login details to a developer is generally pretty safe. Nonetherless, I'll always change the password(s) after giving such access (and as a developer I'll always insist the client changes their passwords after I've completed what I was hired to do).

If you are using ZenCart V1.5 you should create a new admin account for any developers you hire (so you don't need to give them *your* password), and I'd also suggest that you use your cPanel to create a special FTP user account for your developer(s) so that you don't need to give them the cPanel or master FTP passwords.

In other words, with the current zencart you have no need to give any developer any of your personal logon/password details. Just provide them with their own admin and FTP accounts (not the cPanel account) and that's all you need to provide. Both accounts can then be easily deleted or deactivated after the job is complete.

Cheers
Rod
04 Aug 2012, 14:58
#6
mrdmorrison avatar

mrdmorrison

New Zenner

Join Date:
Aug 2012
Posts:
4
Plugin Contributions:
0

Re: Security Question - Letting someone else install plugins

RodG:

I'm one of people that believe most people are basically honest and that providing login details to a developer is generally pretty safe. Nonetherless, I'll always change the password(s) after giving such access (and as a developer I'll always insist the client changes their passwords after I've completed what I was hired to do).

If you are using ZenCart V1.5 you should create a new admin account for any developers you hire (so you don't need to give them *your* password), and I'd also suggest that you use your cPanel to create a special FTP user account for your developer(s) so that you don't need to give them the cPanel or master FTP passwords.

In other words, with the current zencart you have no need to give any developer any of your personal logon/password details. Just provide them with their own admin and FTP accounts (not the cPanel account) and that's all you need to provide. Both accounts can then be easily deleted or deactivated after the job is complete.

Cheers
Rod


Thats a good idea and sounds much simpler than creating a clone site and merging them over. As my site is empty at the moment I dont see a big security threat.

Im curious tho. is there an additional security threat:

(1) is he/she changes any of the file permissions at a later date?

(2) isnt my database password stored in one of the config files also. is this a threat? Should I go to the effort of changing this also?
05 Aug 2012, 14:44
#7
rodg avatar

rodg

Deceased

Join Date:
Jan 2007
Posts:
6,263
Plugin Contributions:
3

Re: Security Question - Letting someone else install plugins

mrdmorrison:


Im curious tho. is there an additional security threat:

(1) is he/she changes any of the file permissions at a later date?

Any reduction in file permissions will always increase the risk of threats.

mrdmorrison:



(2) isnt my database password stored in one of the config files also.

Yes.

mrdmorrison:


is this a threat?

Only if the wrong people/person has access to it.

mrdmorrison:


Should I go to the effort of changing this also?

Do you go to the effort of locking your windows as well as your doors when you go out? (Sometimes I do, sometimes I don't. Only I am in the position to determine the risk in any given situation).

Cheers
Rod