Agree.
5 Likes
I’m not sure how you can stop it though. If you ban it on the forum they will just do it through private messaging.
2 Likes
You could even add… “Don’t use their plugin at all”.
It occurs to me that plugin developers already have a lot of power over your site. They can push anything your way. No need to hack into your site to leave a back door… just put it into the next update.
3 Likes
I’m not saying you can stop it. Just don’t endorse it or allow it on the forums, so that everyone is treated equally, and everyone understands the risks to both parties.
Need to discuss this with @wadestriebel - if it was adopted he’d have to make a moderation guideline and then start editing/deleting posts with requests for private credentials.
1 Like
I think it’s not easy to enforce… anyone can ask anyone else access using PM.
Simone.
5 Likes
My two cents about this is that its fine as long as both parties agree to it, let them sort out if they wanna use forum PMs, email or for my part Facebook to exchange those credentials. Just make sure that we include a line in our guidelines or another appropriate place that ClassicPress is not responsible for anything that happens as a result of this exchange. Of course I don’t know if that is line with legality, maybe @timkaye can be asked about that.
We can’t and shouldn’t try to protect people from everything.
3 Likes
Well I think I need to comment here.
The first thing I want to add is that in the pm to @spanner44, after I’d logged in and looked at his system, I told him to change passwords. To quote:
And lastly, I would recommend changing relevant passwords as it’s good practice - and I won’t be at all offended! It’s what I would do.
And I think that is the key takeaway. Should the forum get hacked, the login details will be useless. That just about covers everybody.
Everything is about trust. I do this sort of thing as a part of my day job. I’ve also worked in tech support where admin access is a necessity, potentially giving me access to every bit of data on the network. Essentially, my whole career has been based on trust.
The fact is, I’ve developed a plugin through the ClassicPress community and a community member was having major problems with said plugin. What else was I supposed to do?
11 Likes
The whole legal basis on which we will be launching the plugin directory is not merely that ClassicPress won’t be legally liable, but that it will never take on any meaningful responsibility in the first place.
The plugin is the developer’s, the site is the user’s: we are simply providing a convenient location for the one to meet the other. Whatever the support forum looks like, it will be provided primarily because it’s helpful to other users (e.g. in resolving their own issues, and in enabling them to decide whether to use the plugin in the first place).
Where a developer and/or user feel the need to communicate privately about a plugin, we should make it clear that that should always take place away from any ClassicPress site. Such communication doesn’t meet either of the above objectives and, if we are seen to be endorsing the exchange of confidential information on our sites, then we will be expected to meet all sorts of tests about how we manage such communications to ensure they truly are secure.
Those who point out that this will be impossible to enforce 100% miss the point. No-one expects 100% enforcement. What will be expected are genuine and consistent attempts at enforcement. In other words, just as on the WP forums, mods should edit or delete posts that ask for or provide confidential information, and those involved should be warned not to do it on our virtual real estate.
6 Likes
So to summarize:
- Sharing credentials via forum private message - not ok
- Sharing email addresses, Facebook via private message (and then using that platform for further, personalized support) - ok
- User or developer publishes their email address, Facebook etc in a support thread for this purpose, if desired - ok
Does that sound like a reasonable guideline?
5 Likes
Yes to all of those. 
2 Likes
And maybe we could encourage this way and ask for the disclosure (if applicable) of what was wrong…
2 Likes
Good developers should always be prepared to explain afterwards what was wrong, provided they do so in a way that protects privacy and confidentiality.
3 Likes
Firstly, I apologise if what I did was wrong.
Clearly, there was no ill intent on my part and I would also like to apologise to @spanner44 for dragging him into this. This was 100% my doing.
However, looking at things from my perspective:
-
the SEO plugin is being developed as a ClassicPress research project and as such, using these forums for support for a ClassicPress plugin seemed entirely appropriate to me
-
this is not the first time someone has asked for login credentials on these forums
-
I felt I did what I needed to do to resolve the situation and I have no regrets about doing it. It got the problem resolved quickly and painlessly.
-
I did take appropriate measures to protect ClassicPress by recommending that passwords be changed
6 Likes
No need at all to apologise, Tim. ClassicPress is still in early days and we are all finding our way. There will be lots of “test cases” that help us refine our procedures and guidelines.
You certainly didn’t do anything wrong because nothing had been defined to say you shouldn’t.
9 Likes
Thanks Alan. Much appreciated!! 
6 Likes
As @ozfiddler says, you did nothing wrong, @1stepforward. What I have outlined is how ClassicPress should proceed in future. It was not a comment about you or any other individual.
6 Likes
Thanks @timkaye. I know your comments weren’t directed at anyone in particular and your clarification along with @james’ summary does help.
I didn’t intend to reopen this issue but I decided I needed to as there is one particular area I’m still not clear on and one that will almost certainly raise its head again. So, better to get it all sorted now I think.
Mods note: moved this part to a new thread; ClassicPress research
2 Likes