Hi,
this is because we share some code between the 2 plugins, for example, to build our settings.
May I know why is this a problem please?
Thanks
Hi Benjamin,
The reason is based on a basic tenant of web security : install what you need and no more.
Since the MainWP’s Dashboard is a management tool only (without any frontend components), we keep the least amount of plugins possible so as not to slowdown the website.
Also, minimizing the # of non-essential plugins ensure we also minimize potential vulnerabilities, since there are less plugins to update and therefore, less attack vectors.
I understand you’re wanting not to have the same code at two places, but given modern dev practices (git submodules, dependancy managers, etc), surely this could be automated so as not to require a ‘non-essential’ end-user plugin on a management console?
I hope this helps you understand, happy to discuss further if need be.
I understand your point of view, we’ll see if we can improve this for a future version.
In the meantime, if you want to drastically improve security you can add a htaccess/htpasswd to your MainWP dashboard site.
Hi @jfarsen, if I may jump in, this isn’t unheard of; we even require Yoast to be installed on your Dashboard to use the WordPress SEO Extension.
I would also recommend the free Lock Extension for your Dashboard if you haven’t installed it yet.
Thanks
Dennis Dornon
MainWP
Benjamin: Thanks for looking into this, appreciated!
Dennis: I didn’t know about Yoast was doing this as we don’t use that module, but if we did, I’d have the same reaction: I still don’t think it’s a good idea 🙂
Also, we already use the Lock extension, have firewalls and IP-locked access to our install, so we’re ok inbound security-wise.
Our concern is also platform stability… and the less plugins we have, the less update-related risk we have … and given it’s our business to manages client risk and update-related issues, we know it’s a (real) thing 😉
Thanks for chiming in!
