How do I prevent my clients from seeing my full portfolio?

I've got the WPMU Dashboard installed.

I also have a developer membership, which allows me to use WPMU on multiple sites. This is an awesome resource to have available when I'm pitching new business.

As of right now, any client can simply log on through the dashboard to post here or view the last 4 digits of my credit card number. If I remove the dashboard, they get a nag asking them to add it for updates.

What I need is a way to cut a client off from seeing all of my information (including other clients!). What am I missing? This must be my oversight. It seems too big to be yours.

  • Imperative Ideas

    Cripes, nevermind...

    "Only the admin user "Ian" has access to the WPMU DEV Dashboard plugin and features on this site."

    That needs to be much more clear when installing the thing :slight_smile:

    There is still the underlying issue that a client admin could simply change my password and gain access to the entire system. A second layer of authentication as an option would be really nice.

  • Kimberly

    Hey there :slight_smile:

    Check out the bottom of this page:
    https://premium.wpmudev.org/project/wpmu-dev-dashboard/#usage

    it has some nifty stuff you might like :slight_smile:

    1. When a user enters an api key it will begin to limit the entire plugin view to just that username. This great when using on client websites.

    If you have an older version installed then simply visit Manage page and save your settings, this will then restrict it to your username.

    2. If you get locked out or need to enable a different user, or want to enable multiple users, you can simply put this in your wp-config.php file:

    Place these just above the following line:
    `/* That’s all, stop editing! Happy blogging. */
    define(‘WPMUDEV_LIMIT_TO_USER’, ’1?); ` – for one user.
    define(‘WPMUDEV_LIMIT_TO_USER’, ’1, 10?); - Or enter a comma separated list for multiple users. They are all user IDs

    3. If you want to totally hide everything so its not visible to anyone then simply use the following in your wp-config.php:

    Place these just above the following line:
    ` /* That’s all, stop editing! Happy blogging. */
    define(‘WPMUDEV_HIDE_BRANDING’, true);`

    Note: Your API key is your own, and should not be shared with your clients, doing so would give them access to your WPMU Dev account.

    Best,

    Kimberly

  • Imperative Ideas

    This is useful information.

    A savvy engineer with MySQL access could still just update the password hash for my username and get access to the code. I'm not saying it's likely - just possible.

    Is there a check in place that forces re-validation if the username's password hash changes?

    Re-hashing that hash for storage then validating against it would neatly break any intrusion efforts.

  • iaindb

    This is something that concerns me also, short of hosting the site and not giving the client access to the database (and to be absolutely sure, the file system too), I'm not sure at present how we can keep our accounts secure.

    Ultimately a client owns there website though...

    Here's another thread I've bought up similar issues in:
    https://premium.wpmudev.org/forums/topic/updates-by-our-clients#post-262084

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.