Granting FTP & cPanel & BO admin access to untrusted individuals.

[kimlala]

I have invested a lot of money in developing an eCommerce website using Prestashop as the platform. Often I need tweeks or design improvements.

 

A web developer of unknown or unproven skill, or simply an untrusted individual with skill is interviewed.

This is what is always asked for.

 

FTP Access

cPanel to the host server

Back Office admin right to the domain Prestashop is hosted on.

 

This is basically providing a complete stranger the ability to download, back-up, and copy my $10,000 investment.... and not only that, it also gives the ability for that person to damage it at a time in the future.

 

It really concerns me.

 

What is the solution?

[selectshop.at]

Why damage in the future ? Normally for "guests" you can add restricted accounts as well as on the Prestashop back-office and also as FTP user. For cPanel, you surely don't need to give access to nobody...

 

After the work is done, you simply delete the account you added. If you don't know how to restrict access, you should ask your provider or consult the net, on how to use cPanel.

For Prestashop back-office you go to the tab Administration > employees >add new. BEFORE you add a new employee you should go to the same tab profile and permissions and set permissions for a specific profile you added before (for ex. developer). After you added a new profile you can restrict all what he can do, see or manage. For the back-office you can delete or disable the account you added than after work is done too.

Edited June 9, 2015 by selectshop.at (see edit history)

[kimlala]

What concerns me is in the past I noticed having done this that the entire Prestashop back-up afterwards was corrupted with virus's. What that means... I don't know, what it does mean is many sleepless nights and a complete loss in trust of the entire Prestashop site. And the Prestashop solution for eCommerce.

 

Also giving access allows accessing to the database, and it's hugely problematic because it takes months to build a custom site, the product database, weeks to audit and debug it for correctness....

 

.... and then some unknown party wants full and complete access.

 

Nowhere have I been able to find how to do this or are the guidelines outlining safe practices..

Edited June 9, 2015 by kimlala (see edit history)

[selectshop.at]

If access is already given to somebody, you should change all your passwords after the work is done. In fact no developer needs access to database and your cPanel and you should be very careful if somebody is asking for to have access to it. Better ask here in the forum before.

[selectshop.at]

If back-up's have viruses, than the virus was available BEFORE back-up was made. back-up in fact is made only from database, if you are talking about the back-up option on Prestashop's back-office. From the FTP Prestashop is not making any back-up. BTW on a database there is no possibility to add a virus, only to scripts, so your FTP. Database only stores DATA !!!!

 

In case of virus on your FTP you should change your provider. The one you are using is not taking care of his servers !!! But this very common if you use shared hosting packages. You should take into consideration to change not only your provider, but change your hosting package too. VPS with own dedicated IP or at least a more expensive version - dedicated server

Edited June 9, 2015 by selectshop.at (see edit history)

[selectshop.at]

 

 

Also giving access allows accessing to the database, and it's hugely problematic because it takes months to build a custom site, the product database, weeks to audit and debug it for correctness....

 

NO. as I told you, you should learn how to use cPanel. You have the possibility to add FTP users with restricted access to only a part of your FTP or only one or two folders of it. If you restrict the folder /youradmin this person will not have access to the dabatase back-up, cause they are stored on the folder /youradmin/backups.

[selectshop.at]

Another suggestion I can give you is to don't use extra free modules or modules of not know provenience. All modules offered here from users which are moderators you can trust. modules form users with no frequency on the forum with help are suspect and can contain malicious code... On each good managed server there is a firewall active which will cry during of after install about malicious behaviours. If your server don't have this option, so your provider don't take care and in fact your are the one who should take care.

Prestashop in his native version is clean, but surely you know the story of "Troia and the trojan horse " ? Gratis/free be careful.

[kimlala]

NO. as I told you, you should learn how to use cPanel. You have the possibility to add FTP users with restricted access to only a part of your FTP or only one or two folders of it. If you restrict the folder /youradmin this person will not have access to the dabatase back-up, cause they are stored on the folder /youradmin/backups.

 

 

I know how to configure FTP access or users. What a designer always request is "FULL ACCESS"

 

In the config folder there is the user name, database name, password. This gives a person with FTP access, access. So what two folders are you suggesting giving access to? A single module folder? the module directory? the theme directory? Both module and theme is located in the main Prestashop directory and if access is given to those two directories it gives access to the config folder also.

 

Also I don't even think access to a live site should ever be given, to anyone. It has been suggested to me to upload the site minus images and the /img directory to a repository and have it accessed there.

 

Biggest problem I have with all of the is the exposure to malicious intent because eCommerce site involve the generation of income, and when money is involved who knows how much damages can be done. Business can generate from 0 to 100,000 a month and trusting complete strangers is hugely troubling.

Edited June 9, 2015 by kimlala (see edit history)

[selectshop.at]

Full Access - simply don't give it. Not for the folder /youradmin. This is quite easy. If he need access to folder /modules than give him access only to folder /modules, If he need also access to /theme than to /modules and /themes. You should ask before. On folder /youradmin he don't need any access or has anything to fix or change on scriptings.

 

You can also clone your shop and let developers play on this clone.

 

How to clone a shop: http://givensa.com/learning-ecommerce-by-doing/clone-prestashop/ or https://www.prestashop.com/forums/topic/313999-tutorial-how-to-clone-your-shop-for-upgrades/

 

Afterwards you can ask him, which files he replaced. But in fact you will not find any developer working on this basis... Better is to restrict the access to /theme and /modules, perhaps /overrides which are the main developing/debugging folders.

Edited June 9, 2015 by selectshop.at (see edit history)

[El Patron]

"A web developer of unknown or unproven skill, or simply an untrusted individual with skill is interviewed."

 

Only hire trusted/proven resource with known skill set and excellent reputation.   

or

 

create test  copy of your production shop as necessary for development by 3rd party, when proven there then you have allow appropriate access for implementation.

[MrJezbo]

What would be the only access folders that developers would need access to in the permissions section?

[selectshop.at]

What would be the only access folders that developers would need access to in the permissions section?

This depends on what the developer should be do. Install a theme, debug a module ? If it is a own developed theme, than he should have access to the whole Shop root. if it is only for his module, in most of cases than he need access only for folder /modules, but also this depends of the module....