Pinegrow is a powerful tool for creating WordPress themes and plugins directly on your site. It is your responsibility to pay attention to using it securely.
User roles and capabilities
Only give access to Pinegrow to trusted users on the level of site administrators.
User roles defined in Pinegrow settings are allowed to edit projects with Pinegrow, but only users with
install_plugins capabilities are able to export PHP code for themes and plugins to the site.
DISALLOW_FILE_EDIT WordPress constants. When either of these if
true, the projects will not be exported.
Consider Pinegrow to be similar to SFTP access or WordPress dashboard
Think of Pinegrow as being another way to direct access your site, similar to using SFTP or uploading themes and plugins through the WordPress dashboard.
Only open trusted source projects
When deciding which projects to import and open with Pinegrow, exercise the same caution as you would when deciding which plugins and themes to install on your site.
Deactivate the Pinegrow plugin when you do not use it
Deactivate the Pinegrow plugin if you will not be using it for an extended period of time. This will help ensure the security and integrity of your website.
Bounties for reporting security bugs
Did you discover a security vulnerability in the Pinegrow plugin? We would love to hear about it. Read our guide on responsible disclosure and bounties.