WPMU Dev Dashboard Security Concerns

Looking into utilize your WMPU Dev dashboard plugin and using "The Hub" to keep track of all my sites. After playing around and testing the plugin, I have a concern in regards to who can manage the WPMU Dev dashboard page within the WordPress site. For example, if I go into a site and activate the plugin, it seems I am the only admin user who can access the WPMU Dev admin panel in WordPress. However, if another admin was to go in, deactivate the plugin, and then re-activate the plugin, they would be the only admin who has access to the WPMU Dev admin panel. Furthermore, when this happens, they would be able to see my WPMU dev subscription info, my API key, recent tickets I opened, etc..

I'm thinking this has probably come up already with other users? Are there any plans for a workaround? Ideally, I would like the WPMU Dev plugin to force me to re-login to my WPMU Dev account if the plugin was deactivate/reactivated.

Thanks!

  • Predrag Dubajic
    • Support

    Hi @cnolan90,

    Hope you're doing well today :slight_smile:

    Thanks for your question, our developers are notified about this and are looking into it.
    Note that users who do this won't still have access to your WPMU DEV login info or be able to access the site premium section this way.

    We are working on fixing this asap.

    Best regards,
    Predrag

  • cnolan90
    • Flash Drive

    Thanks Jaxom. I'm sure I could figure out a way to prevent this with custom user roles and permissions if I wanted to but I'm not willing to go through that which each client site I develop. In my opinion this should be addressed at the plugin level to prevent this from happening. It's a pretty valid concern and if WPMU Dev wants this to be successful (which I'm sure they do), it should probably be built into the plugin.

    I know this is a relatively new venture for WPMU Dev so I'm sure they will figure out an answer. Maybe the answer is simply a different plugin for client sites that doesn't provide all the WPMU Dev account info in the WordPress admin panel. Truthfully, I don't care about any of that stuff being there anyway. I would prefer just a simple interface for client sites where I install the plugin, enter my WPMU Dev username and password which connects the site to my control panel and then that's it. No interface within the actual WordPress control panel, I will go login directly to WPMU Dev if I want to see that info.

  • Predrag Dubajic
    • Support

    Thanks for jumping in Jaxom, however Super Admin is only available in Network installations so this would not be a solution for single installations.

    cnolan90 developers will be looking into this and I believe that best solution would be either hiding the plugin from users that didn't activate it in the first place or logout from dev account if plugin is disabled, but I'll need to wait for dev opinion for this :slight_smile:

    Best regards,
    Predrag

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.