Plugin support and site admin credentials

I for one, don’t think it’s a good idea to celebrate the using of the forum to get admin credentials for an unknown person on a user’s site.
It’s a bad precedent. The person helping could be blamed for things that happen later, and the person with the site never knows if the helper left a back door or something.
I’m not saying anything of the sort happened in this exchange. I’m just saying that it could, so easily, since we don’t really know who anyone is in the forum. It is better to not have this type of transaction at all, to protect everyone.

1 Like

It is occasionally necessary to have admin credentials to a site in order to diagnose and fix a difficult issue. This can provide a better experience for everyone: plugin developers can successfully fix issues for users without having to guess as much about what the problem might be.

In this particular case it’s obvious that allowing the site owner to share credentials via a private message was a net win for everyone. So, rather than saying “It is better not to do this at all”, how about we think of ways to make it safer?

I’ll start: if you’re not satisfied that you know a plugin developer and have seen enough of their interactions to trust them, don’t pass them your credentials.


Hosting companies when answering tickets do use encrypted external services with expiration.
But in the end is a matter of trust.
If you use a product and encounter issues you have to decide if you trust the dev enough to let him in the site to fix it in extreme cases.
I agree with @joyously that the forum should not be held responsible and is not the best place to exchange this info however. Legally speaking this is an issue because… What if forum gets hacked and those credentials are used to hack the site?
Yes it is useful. Yes, it’s a nice commodity having the forum to offer plugin support like this.
I think devs should however offer this specific kind of support on their platform. For safety reasons and legal reasons.
Forums are ok until one reaches the point when the need to exchange credentials arises.


Particularly when the developer has been around the community as a contributing member for awhile, I put the risk at low. If you think about it: when you install a plugin, it could be doing anything under the hood…the vast majority don’t look at or understand code…they just use the plugin. A rogue developer doesn’t need to politely ask for admin access.

I think the thread shows a good faith effort to get to the bottom of the issue before admin access was requested, and the issue was immediately discovered once it was.




I’m not sure how you can stop it though. If you ban it on the forum they will just do it through private messaging.


You could even add… “Don’t use their plugin at all”.

It occurs to me that plugin developers already have a lot of power over your site. They can push anything your way. No need to hack into your site to leave a back door… just put it into the next update.


I’m not saying you can stop it. Just don’t endorse it or allow it on the forums, so that everyone is treated equally, and everyone understands the risks to both parties.

Need to discuss this with @wadestriebel - if it was adopted he’d have to make a moderation guideline and then start editing/deleting posts with requests for private credentials.

1 Like

I think it’s not easy to enforce… anyone can ask anyone else access using PM.


My two cents about this is that its fine as long as both parties agree to it, let them sort out if they wanna use forum PMs, email or for my part Facebook to exchange those credentials. Just make sure that we include a line in our guidelines or another appropriate place that ClassicPress is not responsible for anything that happens as a result of this exchange. Of course I don’t know if that is line with legality, maybe @timkaye can be asked about that.

We can’t and shouldn’t try to protect people from everything.


Well I think I need to comment here.

The first thing I want to add is that in the pm to @spanner44, after I’d logged in and looked at his system, I told him to change passwords. To quote:

And lastly, I would recommend changing relevant passwords as it’s good practice - and I won’t be at all offended! It’s what I would do.

And I think that is the key takeaway. Should the forum get hacked, the login details will be useless. That just about covers everybody.

Everything is about trust. I do this sort of thing as a part of my day job. I’ve also worked in tech support where admin access is a necessity, potentially giving me access to every bit of data on the network. Essentially, my whole career has been based on trust.

The fact is, I’ve developed a plugin through the ClassicPress community and a community member was having major problems with said plugin. What else was I supposed to do?


The whole legal basis on which we will be launching the plugin directory is not merely that ClassicPress won’t be legally liable, but that it will never take on any meaningful responsibility in the first place.

The plugin is the developer’s, the site is the user’s: we are simply providing a convenient location for the one to meet the other. Whatever the support forum looks like, it will be provided primarily because it’s helpful to other users (e.g. in resolving their own issues, and in enabling them to decide whether to use the plugin in the first place).

Where a developer and/or user feel the need to communicate privately about a plugin, we should make it clear that that should always take place away from any ClassicPress site. Such communication doesn’t meet either of the above objectives and, if we are seen to be endorsing the exchange of confidential information on our sites, then we will be expected to meet all sorts of tests about how we manage such communications to ensure they truly are secure.

Those who point out that this will be impossible to enforce 100% miss the point. No-one expects 100% enforcement. What will be expected are genuine and consistent attempts at enforcement. In other words, just as on the WP forums, mods should edit or delete posts that ask for or provide confidential information, and those involved should be warned not to do it on our virtual real estate.


So to summarize:

  • Sharing credentials via forum private message - not ok
  • Sharing email addresses, Facebook via private message (and then using that platform for further, personalized support) - ok
  • User or developer publishes their email address, Facebook etc in a support thread for this purpose, if desired - ok

Does that sound like a reasonable guideline?


Yes to all of those. :grinning:


And maybe we could encourage this way and ask for the disclosure (if applicable) of what was wrong…


Good developers should always be prepared to explain afterwards what was wrong, provided they do so in a way that protects privacy and confidentiality.


Firstly, I apologise if what I did was wrong.

Clearly, there was no ill intent on my part and I would also like to apologise to @spanner44 for dragging him into this. This was 100% my doing.

However, looking at things from my perspective:

  • the SEO plugin is being developed as a ClassicPress research project and as such, using these forums for support for a ClassicPress plugin seemed entirely appropriate to me

  • this is not the first time someone has asked for login credentials on these forums

  • I felt I did what I needed to do to resolve the situation and I have no regrets about doing it. It got the problem resolved quickly and painlessly.

  • I did take appropriate measures to protect ClassicPress by recommending that passwords be changed


No need at all to apologise, Tim. ClassicPress is still in early days and we are all finding our way. There will be lots of “test cases” that help us refine our procedures and guidelines.

You certainly didn’t do anything wrong because nothing had been defined to say you shouldn’t.


Thanks Alan. Much appreciated!! :slightly_smiling_face: