This is not a feature request is a security risk fix request.
Shipper Pro can be used to override any of the website in the hub – mine, other clients – NOT A VULNERABILITY I can live with.
Secondly, you should not show the list of websites in the hub in the first place, this is not information I want shared.
The following are NOT ACCEPTABLE SOLUTIONS:
– uninstalling Shipper after use – not a fix. Shipper can be re-installed anytime
– hiding WPMUDEV from other admins – not a fix. Another admin can reset the password to the admin account used to activate WPMU and gain access
– using functions.php, wp-config and other similar methods to prevent access to the plugin …- not a fix. Can be easily be undone. This needs to be fixed off site on WPMUDEV side.
– Currently on my side of things the only solution is to logout of WPMUDEV or remove it. If that will remain the only solution then I can't continue using WPMUD
The risk is too high to consider anything else but a foolproof fix. It's making me reconsider enabling WPMUDEV on clients websites. And this is the only reason I've been renewing my subscription, to be able to use this for my clients.
– Obviously, the fix can only be done on your side. You have done it with Snapshot Pro when it comes to Managed Backups in the cloud by requiring a Snapshot Key. So some form of authentication is needed. Perhaps require an actual sign into the hub before showing the list of the websites in the hub. Perhaps even better, you don't show a list of sites but instead we enter a one time use or a self destructive Key corresponding to the site we want to transfer to that we copy from the HUB. Besides that no-one should see the whole list of sites, it can also become too long a list and also introduces the risk of miss-selection.
Since this can be done in many ways, I'll let you brainstorm and find the best solution.
I'll continue below with a few other notes in order to avoid creating a new ticket since it's on the same topic of: "information and access to sensitive data that a third party (be it a (ex)client, or an ex client's new web developer) should not be able to get in any circumstances.. "
WPMU Dashboard should not show any personal information like support tickets. Grant support access should not be there. The SUPPORT menu option should not be there, it's actually potentially confusing for the client, as that's not where they should be looking for support. And they should not enable access to any account features ever.
WPMUDEV dashboard's role should only be a way to activate the license. Even installing new plugins is not necessary something that should by default enabled. We can install them from the hub. But in certain cases we could enable that for a specific site, perhaps only specific plugins only. As to being able to manage installed plugins its ok but not necessary as the plugins have their own menu. I propose a way to control what WPMUDEV does from within the HUB itself. Out of anyone else reach – those WP-CONFIG constants are not a true solution as they can easily be overcome. Instead a default secure config for a new website added to the HUB, and option to turn on/off from within the HUB is the way to go.
For my main agency website, and perhaps other personal sites having personal information displayed, Hub related info and notifications, support tickets and perhaps certain actions that I can take would be more than fine. But we need to be able to control that, from within the hub.
Perhaps this WPMUDEV Dashboard should be only for the account owner. And have a client License activation for anything else. This way WPMU Dashboard can provide even more personal and potentially sensitive info and access to actions, tools, tasks for the account owner only…
Please always keep that in mind for any development on the WPMUDEV dashboard, and all plugins. This has to be foul-proof as its not being used just by the account owner.
Again, something to be brainstormed… I can live for now with the WPMU Dashboard issues, but not the Shipper PRO – this should be the first fix.