Giveaway Private Website Information To WP Theme Support

Hi Envato-Team,

is it legit that the support of a Woocommerce theme I brought is asking for private website information?
I got an issue with the theme and was asking for support, but they are asking for all these information before they do anything:

  • FTP information
  • site’s URL
  • WordPress admin login info
  • Purchase Code

Isn’t it that this could cause huge security issue, especially by giving the FTP information?

Thank you,
Lisa

Hello @official3

If may different policy and methods of different author for support

You have to send theme purchased code, site url, wordpres login info

If you not want to share this you can also send screenshots so author can get problem easily and give you fix ASAP

Thanks :slight_smile:

Hello joomlastars,

I understand. I already did send photos to the author, but they wanted all this information before looking into it.
If I would already have customers on the webshop, it would be impossible to give the author the information without breaking the law.
I guess I need to contact them again.

Thanks,
Lisa

Hello @official3

You can contact to author and ask for teamviewer if you not want to send ftp details.

Thanks :slight_smile:

I also have a problem with this? I dont understand why I must buy an app only to let them into my server. It just doesn’t make better security sense.

1 Like

Hello

You can take back before give ftp when asking for support and after fix you can change password :slight_smile:

You dont seem to understand, this should not become a normal practice anywhere. Imagine buying a game off the playstore and the developer says give me your passcode to unlocking your phone before you can play the game. Its not safe when people can create hidden files on your server. Its totally not so safe, as an InfoSec expert, its not safe at all.

1 Like

Hello

Right buy we are author not hacker :smiley:

If some time critical issue then author have to check what and where is issues so they asking for admin details, you can change details after fix your problems

When you signup in envato they have also your user and password may store in some database, you heard they tried to login?

Thanks :slight_smile:

Unfortunately, with software development, an issue can only be working in your instance so they need access to look through your setup.

I totally get it that you don’t want unknown people seeing private information (especially around GDPR and other data protection laws) so there is a way to reduce that risk.

Create a new user role called support, limit them to the things they would need to see e.g. pages and products, limit them from data you don’t want them to see e.g. orders.

Never give them cpanel access, only ftp, make sure you have a backup and limit the FTP account to the areas they need to access e.g. the wp-content folder (don’t let them access the root as your database logins are stored in wp-config.php).

Take steps to protect your data but also being open enough so you’re not hindering them helping you.

3 Likes

Basically, some of the simpler stuff we can do to protect ourselves.
If the situation is happening ina unique instance, maybe they should try debugging from reading logs that their apps dump.

Thanks a lot for the tips but honestly, I wouldnt want to go through all this problems just to buy and use a web app. Isnt there a webapp, that is good to go after buying? (Thats what we want).

And the dont only ask for wp user access, they actually ask for cPanel access but from today I am only giving out ftp access. I am sure others can confirm too.

Some stuff I bought of here, had many problem that I had to keep talking to support after 4 months of purchase, just trying to straighten out the kinks and some of the issues were left to be resolved in the next update. So sometimes the whole support game goes on for a long time which makes the whole security aspect not fully certain.

I’d like to revive this topic. It should raise red flags if multiple customers are not able to install the product. Authors should be able to get the install right or their product should be pulled from the shop. I’ve recently purchased something, big surprise it doesn’t install, and immediately they are getting my email address, purchase code and asking for url and ftp access. This raises all kind of red flags for me.

Envato should have some type of policy or protection for their customers. Adding a button customers can use to flag authors who abuse this practice. Malicious code can be in the original .zip file we download or they can go in and add it when they are “fixing” the problem.

Can someone with some authority speak to this?