nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Any web developers/designers here?

lorigem

Web design isn't officially my job title but I have lots of experience with it and is part of the job. However, oftentimes I need to purchase code for plugins or add-ons to the company site. I go through Themeforest to do so which houses developers from all over the world. Sometimes the code doesn't work on my site for whatever reason and I can usually get a quick fix by contacting the author of the code. However, this time, an author is requesting FTP access. I don't feel all that comfortable doing this but I'm wondering - what can they really do if they did want to commit malice? Other than replicating my site and go on a phishing scheme. Which I admit, I'd probably get fired if I had caused something like that.

Does anyone know a bit more about creating users on FTP and what the security implications would be to allow a third-party access? I know I can create a user to access certain directories but in order to diagnose the coding problem, they'd need access to the entire main directory.

Replies

TheNewPriceIsLoading

Believe there to be some websites where you can host 'Screen Sharing' and can enable them control of the mouse and keys, but your Mouse and Keys will override theirs if they decide to be dumb... Off hand, I cannot think of one.. Google it perhaps?

su93rn0va

Hi there, I am a web developer. To answer your question, giving ftp access to someone is very dangerous due to the fact that they can inject or create files with backdoor code to which case they can take up your site and use it in order to promote their own sites etc. Usually these are called parasites (the kind of code I mean). If this happens the account you created for him would have no meaning after all as the PHP on the server would be the host who would perform these actions. So even if you disable the account the malicious hacker could still take advantage of it via POST or GET. In other words, keep your site clean and don't give access to random persons. Try to debug the plugin yourself or explain the problem in detail to the developer. Show the problem to him by inviting him to see it as plain user.

lorigem

Believe there to be some websites where you can host 'Screen Sharing' and can enable them control of the mouse and keys, but your Mouse and Keys will override theirs if they decide to be dumb... Off hand, I cannot think of one.. Google it perhaps?

I've Googled it but haven't found any helpful answers :ohwell:

Screen sharing may work - I'll look into that. Thanks!

SaintGiff

I'm making some assumptions, primarily because you were not all that specific, but... If handling the company site is just part of a bigger job description then the assumption is that this isn't a huge site. And that the code pieces you are using are not terribly complex. Given those assumptions I can't see a need for FTP access. However, another assumption is that this is being hosted by a hosting company rather than a physical server you have on site. If that's the case, most will have FTP tools that allow you to grant FTP access for a specific user only to specific files or directories by path. The bigger concern isn't what this person takes ( duplicating your site ), but what they leave behind. Be sure to take a before and after snapshot of all directories where they have access to check for new scripts. Likewise, be sure to read through every file they modify to ensure they haven't done anything untoward.

GDLAZ

We disable FTP because it's too high risk for hackers. Besides, as a developer you don't want them to fix it for you, you want to know what the problem is so if it appears again you know what to do.

lorigem

Hi there, I am a web developer. To answer your question, giving ftp access to someone is very dangerous due to the fact that they can inject or create files with backdoor code to which case they can take up your site and use it in order to promote their own sites etc. Usually these are called parasites (the kind of code I mean). If this happens the account you created for him would have no meaning after all as the PHP on the server would be the host who would perform these actions. So even if you disable the account the malicious hacker could still take advantage of it via POST or GET. In other words, keep your site clean and don't give access to random persons. Try to debug the plugin yourself or explain the problem in detail to the developer. Show the problem to him by inviting him to see it as plain user.

Yikes - yeah that's what I was afraid of. What do you mean by the bolded part?

I'm making some assumptions, primarily because you were not all that specific, but... If handling the company site is just part of a bigger job description then the assumption is that this isn't a huge site. And that the code pieces you are using are not terribly complex. Given those assumptions I can't see a need for FTP access. However, another assumption is that this is being hosted by a hosting company rather than a physical server you have on site. If that's the case, most will have FTP tools that allow you to grant FTP access for a specific user only to specific files or directories by path. The bigger concern isn't what this person takes ( duplicating your site ), but what they leave behind. Be sure to take a before and after snapshot of all directories where they have access to check for new scripts. Likewise, be sure to read through every file they modify to ensure they haven't done anything untoward.

It's not a huge site but I work for a financial institution - a small one - where everything is done in-house. Security precautions are, well, pretty high. The code itself isn't complex, it's just a JS/PHP script. But it's clashing with something else on my site - to be honest, this whole site needs to be overhauled but I don't have the go-head at the moment to do so.

SaintGiff

...

It's not a huge site but I work for a financial institution - a small one - where everything is done in-house. Security precautions are, well, pretty high. The code itself isn't complex, it's just a JS/PHP script. But it's clashing with something else on my site - to be honest, this whole site needs to be overhauled but I don't have the go-head at the moment to do so.

Yeah, I would lean strongly toward not granting FTP access in that situation. Step one would be to look for a similar plug in that you can swap in. It's tough to answer without knowing specifics, and I totally understand why you are reluctant to give them. If the problem is customer-facing then you need to address it immediately. Even if that means disabling those specific functions. Do you know where your "clash" is occurring?

TheNewPriceIsLoading

Hi there, I am a web developer. To answer your question, giving ftp access to someone is very dangerous due to the fact that they can inject or create files with backdoor code to which case they can take up your site and use it in order to promote their own sites etc. Usually these are called parasites (the kind of code I mean). If this happens the account you created for him would have no meaning after all as the PHP on the server would be the host who would perform these actions. So even if you disable the account the malicious hacker could still take advantage of it via POST or GET. In other words, keep your site clean and don't give access to random persons. Try to debug the plugin yourself or explain the problem in detail to the developer. Show the problem to him by inviting him to see it as plain user.

Yikes - yeah that's what I was afraid of. What do you mean by the bolded part?

I'm making some assumptions, primarily because you were not all that specific, but... If handling the company site is just part of a bigger job description then the assumption is that this isn't a huge site. And that the code pieces you are using are not terribly complex. Given those assumptions I can't see a need for FTP access. However, another assumption is that this is being hosted by a hosting company rather than a physical server you have on site. If that's the case, most will have FTP tools that allow you to grant FTP access for a specific user only to specific files or directories by path. The bigger concern isn't what this person takes ( duplicating your site ), but what they leave behind. Be sure to take a before and after snapshot of all directories where they have access to check for new scripts. Likewise, be sure to read through every file they modify to ensure they haven't done anything untoward.

It's not a huge site but I work for a financial institution - a small one - where everything is done in-house. Security precautions are, well, pretty high. The code itself isn't complex, it's just a JS/PHP script. But it's clashing with something else on my site - to be honest, this whole site needs to be overhauled but I don't have the go-head at the moment to do so.

I would talk to whoever you have to and push until you can't anymore, for the overhaul. If it's struggling to work because of clashes, then show them that. Say that you NEED to overhaul it.

GDLAZ

This may sound elementary, but take a close look at what's changed since the last time things were working so you can narrow down what might be causing the issue.

We took a drastic step and chose not to use any third party plug-ins. That can make designing your UI more challenging, but you don't have some unknown entity throwing a problem in that you have little or no control over.

lorigem

The new code itself isn't working. The site is running fine so it's not a major issue that needs fixing ASAP. It's a simple add-on that our BOD wants - a suggestion box. Found a floating one I liked on Themeforest but it's not showing up on the site. Not sure what could be preventing it from showing other than the JS must be clashing with something that's already there. I'm thinking our header (which was also an add-on) is the culprit in now allowing certain JS to be displayed.

su93rn0va

If it is not showing up, it is probably a CSS problem. Perhaps the container div that includes it has a wrong display value (just an assumption). These kind of problems can be identified and fixed at the frontend with a browser plugin like firebug or with some kind of developer tools. What I meant to my previous post is that you could ask him to take a look to the plugin as a frontend user.