Updates by our clients.

Basically, I would like to allow my clients to be able to auto updates the premium plugins/themes I've installed for them. I would not want to log in to my clients' website and update for them. Neither do I wanted to let my clients able to install any new premium plugins/themes freely using the WPMU DEV Bashboard I've setup. How can these be achieved?

Lastly, it would be good if we can make use of our members account in WPMUDEV to select the plugins/themes where we can push it to our respective clients for uses and futures updates.

  • Arun Basil Lal

    Hello freedom,

    You can install the WPMU Dev Dashboard plugin for your client. Hope you have an admin account at your clients site.

    You can then use the following to define who can get access to the WPMU Dev Dashboard plugin.

    In the wp-config.php file:

    define(“WPMUDEV_LIMIT_TO_USER”, “1, 10?); – Or enter a comma separated list for multiple users. They are all user IDs

    For more, see the Usage section here: https://premium.wpmudev.org/project/wpmu-dev-dashboard/#usage

    They won't have access to the plugin, so they cannot install new products. But they will be able to auto-update via the normal WordPress updates area.

    Lastly, it would be good if we can make use of our members account in WPMUDEV to select the plugins/themes where we can push it to our respective clients for uses and futures updates.

    You mean you want to select the plugins and themes that your clients want access to? This isn't a feature at the moment.

  • Kwee Chek

    ok. I got it now !

    1) The default user "1" is the administrator which I used it to install the WPMU DEV Dashboard. Can I change the WPMU Dev Dashboard's default administrator to other users?

    2) Since, my clients have the administrator rights to their website as well. They can easily change any user's password and access the WPMU DEV Dashboard. Therefore, it is better to have similar setup like the Video Tutorial plugin's setup, where you can hide the configuration totally from all users including the default user '1'.

    3) Yes,It will be best to manage in our member's account at WPMUDEV for our clients to install/update the plugins/themes selectively as permitted by us. Will you build this feature in next release?

    You mean you want to select the plugins and themes that your clients want access to? This isn't a feature at the moment.

  • Kwee Chek

    One last thing to add - As I've been building the standalone WordPress Site for my clients, therefore, I do not need to go into my clients' website to access the WPMU DEV Dashboard (where those information on Plugins, Themes, Support, Community are not applicable for this case). However, allowing my clients the ability o update premium plugins/themes which i've installed for them will be sufficient.

    For me, I'll always visit wpmudev.org for any information and queries.

  • Arun Basil Lal

    Hiya,

    1) The default user "1" is the administrator which I used it to install the WPMU DEV Dashboard. Can I change the WPMU Dev Dashboard's default administrator to other users?

    For sure, you can use the ids of any user there. Or use it like this for multiple users: define("WPMUDEV_LIMIT_TO_USER", "1, 10");

    2) Since, my clients have the administrator rights to their website as well. They can easily change any user's password and access the WPMU DEV Dashboard. Therefore, it is better to have similar setup like the Video Tutorial plugin's setup, where you can hide the configuration totally from all users including the default user '1'.

    If you do not give any user id in there, it should cease to show for anyone. Also you could use define('WPMUDEV_HIDE_BRANDING', true); to hide it completely.

    3) Yes,It will be best to manage in our member's account at WPMUDEV for our clients to install/update the plugins/themes selectively as permitted by us. Will you build this feature in next release?

    Ideally we do not want this. It would be havoc if clients started installing plugins on their own. Its best that our members, in this case you, who knows whats going on, do that for them. They can of course auto-update, which is already available now.

    Hope that makes sense :slight_smile:

  • Kwee Chek

    Hi, I think you have not address my problems yet.

    1) As mentioned by Aaron, auto-updates will not be available if define('WPMUDEV_LIMIT_TO_USER', '0':wink: is added into wp-config.php. But, I still want to make the auto-updates available to first administrator, ie user "1" and hide the entire plugin view from this user as well.

    Add
    define('WPMUDEV_LIMIT_TO_USER', '0':wink:;
    to wp-config.php, and essentially you'll be hiding from all user's including yourself.

    You will still be able to see the updates available in the normal WP update places, though you won't be able to autoupdate.

    2) When a user enters an api key it will begin to limit the entire plugin view to just that username. As mentioned in the usage guides > https://premium.wpmudev.org/project/wpmu-dev-dashboard/

    In fact, I've read and follow all the procedures as mentioned in the plugin usage guides. However, the entire plugin view & dashboard is still appearing in the username which has entered the api key, ie for my case is user "1" as shown in attached image.

  • Arun Basil Lal

    Hello freedom,

    Never considered it trivial, got lost in the heap of threads. Sorry.

    So it seems like either we have all the capabilities to install and update, or you have none.

    If it was me, I would consider this as an opportunity to invite a monthly maintenance fee from my clients for upgrade, you are playing for the plugin and updates anyway, so that seems fair.

    Let me ping Aaron to see if we can figure out a solution where clients can just update stuff, not install anything. They would get to see your API key, so for the techie clients, it wont be much of a protection I suppose.

    Lets see.

  • Kwee Chek

    What's the different for the "Update Notifications Sites" where DEV members can indicate max. of 20 domains. My point is to make use of the your "Update Notifications Sites" to allow them to auto-update themselves.

    In fact, it will be good for WPMU Dev, because it is a good way to promote WPMU Dev and to encourage them to sign-up as WPMU Dev members themselves if they would like to have other premium plugins/themes offered by WPMU Dev. Where, they will only get what have been initially installed for them.

    That's a way to increase no. of the affiliate referral as well.

  • iaindb

    I really like this plugin... But I've got a huge issue with it...

    Basically it's useless for client sites - even if I'm the person managing the updates (which I do for my clients) - the fact is that the plugin and my API key are sitting there... Even if I restrict the access to this plugin with a define - the fact is that this is very, very easily circumvented - at the end of the day clients own their sites (and hosted on accounts they own), so with very little knowledge can effectively gain access to this plugin... Not only do the access the API key and details, they also get access to my WPMUdev account wholesale through the dashboard.... Not good I'm sure you'll agree.

    Don't get me wrong - I really, really do like this plugin, but from a security angle it's not where it should be at the moment.

    I think the API functionality needs improving, I've previously suggested a different angle for API keys and that is to basically use multiple API keys as follows:

    Step 1 - allow multiple API keys per account, that way they can be removed / disabled at any point.

    Step 2 - allow reporting on which domains / sites API keys are being used.

    Step 3 - allow restrictions on which sites API keys would work on.

    Step 4 - restrict which plugins will work with which API keys.

    The four steps could be implemented over different releases if needed?

    This approach would mean that as developers we wouldn't necessarily have to use 1 API key per site (or even customer), but we could... And once all steps were implemented it would mean that even if someone copied the API key it would be useless.

    It would also mean that maybe, apart from the main API key (which most of us wouldn't use on client sites), a lot of the features of the dashboard could be hidden (eg payment details, upgrades, WPMUdev social features) - and would mean that as devs we could sleep sounder at night with the plugin on our client's sites.

    I do like the dashboard - and it's steps in the right direction... I just think some more thought on security would make it completely kick-ass. :slight_smile:

    Iain.

  • James Farmer

    Thanks Iain, @Aaron and all of us are definitely interested in ideas for improvement here.

    I think that we're probably always gonna err on the side of simplicity - so there are ways I think we could improve in terms of both what you and Kweecheck are suggesting, but that's for a more detailed consideration and discussion down the line.

    A few more notes here too: https://premium.wpmudev.org/forums/topic/api-key-1#post-246130

  • iaindb

    As per the other post - I really do like the dashboard. I also get that what you provide is a plugin that allows us to update sites for our clients, rather than have them update them themselves.

    The fact remains though that when we design a site for someone - unless we become their webhost and also retain all rights over their website - they can take their site elsewhere / take control on their current website and lock us out / etc... Then at the most with a quick edit to nullify the admin account (or our account on their site) they can take control of the WP user with the credentials and API key for our WPMUdev account.

    I understand the angle your coming from totally - I just think that something needs to be done to improve the security aspect.

    I work on enterprise architecture and part of that covers security. Although I don't pretend to be a huge programmer, I'm more than willing to make myself available to offer ideas/processes/workflows that may help... I'm sure you've got your own guys or gals that covers this and if so no worries - but if you did want me to discuss more where I'm coming from/offer suggestions then let me know - anything to help what is a fantastic plugin become usable for me and the rest of the WPMUdev community. :slight_smile:

  • iaindb

    Hi Aaron - that's great, but let me give you a couple of scenarios...

    A client takes over a site at 10pm local time my time on a Thursday - I have a long weekend booked (because it's a bank holiday). I don't know or notice anything until the Tuesday morning - which means' they've had access to my WPMUdev account for 4 and a half days.

    Or a client takes control of my WP user account as they feel it's their site without saying anything - I don't need to do any work on their account for 3 weeks (as that's the next time I need to run the maintenance updates as they pay for, and there's no other support issues. My WPMUdev account has been compromised for 3 weeks in this case.

    In my mind, even 2 minutes is unacceptable from a security standpoint.

    Sorry to be so stubborn on this one - I really have the best intentions of this plugin and WPMUdev at heart - I'd really love to have this plugin usable for me and my clients and sites I manage - but it has to be secure to be able to do so.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.