added feature to add mu-plugin to disable plugins via query string

[ecotechie]

Can we use nonces for this?

[1337rout]

Can we use nonces for this?

No I don't think we should, but they could be a part of a larger strategy. I think our quickest solution would to just be not allow disabling of security plugins and get a small list of those.

They help protect against several types of attacks including CSRF, but do not protect against replay attacks because they aren’t checked for one-time use. Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised. See WP Dev Resources for more.

[ecotechie]

I think our quickest solution would to just be not allow disabling of security plugins and get a small list of those.

I think the purpose of this code is to allow us to troubleshoot problems by having a way to deactivate a plugin(s) to see if the issue is resolved.

We should be able to wrap some of this code with our is_nerdpress() method to verify it's our user doing this. On top of other security measures.

[blogtutor]

We should be able to wrap some of this code with our is_nerdpress() method to verify it's our user doing this. On top of other security measures.

We need to be able to do this while logged-out, so the various optimization tools will be active.

[blogtutor]

What about having a list of all plugins show up in our plugin's settings page, and then we can check a box to allowlist the logged-out disabling of specific ones? And then that allowlisting can automatically reset itself after an hour (or some such).

[1337rout]

I've been thinking about this one a lot lately, I personally think a chrome or firefox extension using an Application password and API powered by the support plugin to be able to authenticate and disable plugins from a quick click in the browser for troubleshooting purposes would work best. This would let us have it for debugging while also staying a little more secure since it would require a secret application password that could be tied to the NerdPress user account for doing the actions.

This would also open up a ton more possibilities within the extension like showing data from relay in it, Cloud flare metrics, list of currently open hubscout tickets, etc