Support » Plugin: File Manager » Security Questions

  • Resolved hommealone

    (@hommealone)


    Hi,

    Just wondering… isn’t this plugin a security risk, giving any hacker who gains access to your admin area complete and easy access to each and every file on your server?

    What are your recommendations, if any, about the security aspects of this plugin, with regard to hackers, security concerns, etc?

    I usually use this to make my sites more secure:

    define( 'DISALLOW_FILE_EDIT', true );

    How does that effect your plugin – would that break your plugin, or would your plugin still work – and make that irrelevant?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author mndpsingh287

    (@mndpsingh287)

    Hey @hommealone,

    Thanks for contacting our support. No, it’s not a security risk, if anybody gets access to your backend, they can install any plugin or edit any file. It doesn’t matter if you installed this plugin or not. Please keep stronger password or add 2FA to your site.
    this function effect functionalty of this plugin so we can’t add it for now.

    Regards,
    Mandeep

    hommealone

    (@hommealone)

    Thanks for your response @mndpsingh287.

    Here’s why I ask: I know that your plugin and other file manager plugins can be very helpful to some people in some situations (and yours seems particularly well designed!) I see where it could be a great help.

    But I ask because, although as you say,

    …if anybody gets access to your backend, they can install any plugin or edit any file…

    That certainly applies to a very determined and “talented” hacker. But I like to make it as difficult as possible for your average “joy ride” hacker (a “beginner” level hacker) to destroy my sites, and hope that if they run into a speedbump, they will simply move on to another, easier-to-hack website rather than puzzling out how to get around my protections.

    File managers like yours could make it easier for a “beginner” hacker to cause maximum damage, wouldn’t you agree? So I would like to put as many speedbumps in their way as possible. I am asking this question not because I want to use your plugin, but rather because I’d like to know whether I can block it from working if a hacker installs it.

    (I know that it’s not your responsibility to determine whether any person is going to use your plugin for good reasons, or for malicious reasons. And I hope that most people use it responsibly. Nonetheless, I’d like to block it.)

    So, would using this
    define( 'DISALLOW_FILE_EDIT', true );

    in my wp-config.php file prevent the plugin from working altogether, even preventing it from being able to edit the wp-config file?

    If the answer is no… would using that code in another file such as my functions.php file be any different? Can you think of any other things that I could do to prevent it from working?

    If the answer is yes (it would prevent the plugin from working at all)… do you think that would be the case for other file manager-type plugins as well? Could someone easily make a file manager plugin that could get around that, do you suppose?

    Thanks for your replies!

    hommealone

    (@hommealone)

    Apparently, if you are using
    define( 'DISALLOW_FILE_EDIT', true );
    the file manager plugin can still delete files.

    After some more research, I suppose you are right: no point in worrying about this. If someone with malicious intent accesses the admin area with admin privileges, they don’t need a plugin like this to totally destroy things, as you said.

    Again, nicely designed plugin! Thanks for your earlier response.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.