Pinegrow is a powerful tool for creating WordPress themes and plugins directly on your site. It is your responsibility to pay attention to using it securely.
User roles and capabilities
Only give access to Pinegrow to trusted users on the level of site administrators.
User roles defined in Pinegrow settings are allowed to edit projects with Pinegrow, but only users with install_themes and install_plugins capabilities are able to export PHP code for themes and plugins to the site.
Pinegrow respects DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT WordPress constants. When either of these if true, the projects will not be exported.
Consider Pinegrow to be similar to SFTP access or WordPress dashboard
Think of Pinegrow as being another way to direct access your site, similar to using SFTP or uploading themes and plugins through the WordPress dashboard.
Only open trusted source projects
Avoid importing and opening projects from untrusted sources. Projects can contain JavaScript code that is executed in the browser when the project is loaded in Pinegrow. Malicious projects could contain JavaScript code that would insert unauthorized PHP code that would then be exported to plugins and themes.
When deciding which projects to import and open with Pinegrow, exercise the same caution as you would when deciding which plugins and themes to install on your site.
Deactivate the Pinegrow plugin when you do not use it
Deactivate the Pinegrow plugin if you will not be using it for an extended period of time. This will help ensure the security and integrity of your website.
Bounties for reporting security bugs
Did you discover a security vulnerability in the Pinegrow plugin? We would love to hear about it. Read our guide on responsible disclosure and bounties.