Is it possible to disable the capabilities of add from server plugin with BPS? It can see the / of the server. While it is designed to do that, I’d feel more comfortable if only capable after whitelisting the plugin in BPS.
It looks like the normal functionality of the Add From Server plugin needs to be able to access your hosting account folders. Basically it is just a file upload form in the backend WP Dashboard. Plugins are only accessible if someone with the Administrator Role logs into a website. So if a hacker has WordPress Administrator Role permissions to your WordPress Dashboard then it would be game over anyway since anyone with Administrator permissions can install anything they want to install. 😉 The Add From Server plugin has User Access Control Role option settings so that if you hired someone to work on your website and gave that person Administrator Role permissions then the Add From Server plugin would not let them access the Add From Server plugin. At least that is what the description of that option sounds like it does.
Yes, and that’s not all. The plugin can access / of the server, not / of the hosting account. By clicking ‘parent directory’ in the plugin a few times, I see all directories and files on the server from root and can import any of them. Don’t think anyone should be able to do that from a plugin. Short of blocking installation of the plugin, can BPS block the access?
BPS Pro could block the plugin from working altogether if that is what you want, but BPS Pro could not limit the plugin’s capabilities. I think you should contact the Add From Server plugin author and express your concerns. The plugin author may already have a solution created for your concerns or could add a new feature that would address your concerns.