Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Magento Installation by Developer - Security Concerns
 
mirage22
Jr. Member
 
Total Posts:  2
Joined:  2011-08-12
 

Hi,

I gave the development of my website to a magento developer.

Now that they have completed the development, they want access to Cpanel, FTP, and Admin Information.

Should I give it? If I do give, how do I secure access back. I know I can change FTP and Cpanel Passwords. How about the database?

Is there any other security concern I should be aware of?

After they install Magento and the theme on the website - what are the various security measures I should take?

Thanks for your support!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Rich Cleverley
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
 

I would imagine they are going to need access to be able to get it all set up on your server so unless you can do that yourself then I don’t see that you have a great deal of choice but to give them access.

You can change all your passwords if you are worried including the DB password (you’ll have to also change it in the app/etc/local.xml).

How are you going to manage this if your developer needs access afterwards for any bug fixing/future development?

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hey,

the point is: as soon as someone gets access to your server he is able to place backdoors and take over the whole system.
The other point is: do you really think a company would do this and take the risiko that someone finds the backdoor and is able to proof that the company backdoored a server?

I would give them access, if it’s a company you trust in. If not, I even wouldn’t install any software from them.

Best,
thebod

 
Magento Community Magento Community
Magento Community
Magento Community
 
Rich Cleverley
Sr. Member
 
Avatar
Total Posts:  285
Joined:  2009-01-20
 

thebod sums it up pretty much.  If you don’t trust a developer to have access to your systems then I can’t see how you can trust any of their code.  In the end I would imagine (and hope) that the developer you used is trustworthy and that you don’t have anything to worry about.  Check your contracts and make sure they are tight if you are really concerned.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top