Requesting Aide from Security folks, in community support, for Local v. 7.1.0+6396 and....sigh

What issue or error are you experiencing?

Latest update of Local means I’m able to push/pull via local WITHOUT being logged in to Local HUB, via signin/2FA confirmation - -

How vulnerable is my Local installation after update?
How concerned should I be?
Why, after not being able to access my sites in Local to push/pull UNLESS I log into Local (via login/2FA) can I, after update - pull a site down from production Flywheel site whether I’m securely logged in or not? Please explain it to me like I’m a 5 year old/idiot thanks -

This is factor this morning, AGAIN, is very concerning to me - so, I’m doing my best to try to help myself and my clients, even while, so many other factors (listed below in info/tools used to explain to me what alerts/things I should notice/pay attention to EVEN while I cannot replicate the knowledge or expertise DRIVING those alerts)

What steps can be taken to replicate the issue? Feel free to include screenshots, videos, etc

Screen shot attached of local installation of local/one website, that was pulled from production this morning sans me logging in via 2fa Local Hub login (see disclaimer at end of message to explain why I am behind on Local/etc.)

System Details

  • Local Version: 7.1.0+6396

  • Operating System (OS) and OS version: macOS Monterey v 12.6.58 with Malwarebytes installed, on secured local internet connection, hardwired ‘not wi-fi’ for internet and and scans say I’m clean/not compromised other than an email address put in the wild by medical provider/credit bureau over 8 years ago NO reused/simple passwords/use password manager - also secured by 2fa by separate device, set to NOT auto connect to any (free/secured/not) internet service if I’m not at home - sigh -

Local Logs

Attach your Local Logs here (Help Doc - Retrieving Local’s Log) and at this point? I’m tired of trusting various fronts on many fronts, trying to figure out who actually cares about this or who is social engineering me, because I just need help - with services that change, all the durn time, and I’m left to the community support of masses who figure I’m the problem - not willing to read anything and forums where I have nothing to offer, really, in trying to be usefull to the community that helps me -

Yeah - happy to work with someone on this or provide to vetted folks who sincerely, wish to help - otherwise? I’ll ignore most replies - overall - because … "See my added *DISCLAIMER for request below:

Security Reminder
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.


You can , if you’;ve even read this far, before knee jerk judgement or ignoring the question see, below, my own Disclaimer which expounds upon my ‘too long/didn’t read’ personal ways - when I ask for help from folks way smarter than I - which I’m often guilty of -

Me? Well - I do my best to not make anyone else do my work, for free, ON THE other hand, when I’m offloaded to community support/group social media groupthink/forums for those who can read and say, "okay - what you are asking is - - " when I do my best to just log a question and say it all at one point, and not in need of immediate support for hacked/compromised site?

This is how I still roll - in my experience? There are 3 insta responses on this front - 4 if you count non-responses:

  1. newbie tech/form support in training - that won’t read but instead “Can you describe the problem in a way that works for me?/format” to meet response times
  2. Old-hats, very smart folks who will scan and say, “Why on earth does she even think she is smart enough/professional enough to use this tool?”
  3. Marketing operations for branding, may also, see this - because I will ask questions (used to be this, now it’s that, and I paid in early days to supp;ort dev of many things, for things now made freely available, if only, I do self-help in forums where I have never fitted in - or know how to ask or help others, in trade, properly -

Hi @tank13 - happy to help!

Local is not capable of pushing to or pulling from Flywheel without being properly authenticated with Flywheel inside the app. You can rest assured that your sites (and your clients and their info) are secure on Flywheel.

Your Local account (log in by visiting Local Hub, and your Flywheel hosting account are not the same. This is definitely a confusing workflow, and not the first time we have heard users have questions about it.

Logging into Local Hub unlocks development features like Live Links and Cloud Backups where we need to associate a user and their site to their Local app. This ensures your backups are only shown to you, your Live Links URLs are unique to you, etc.

Logging into Flywheel, a separate account, is done in the Local Connect window. See my screenshot below. If you visit the Connect tab in Local, you will see that you can remain authenticated with Flywheel even if you are not logged into Local. Hopefully this makes sense and eases your concerns, but I am happy to answer any questions you have.

Thank you Austin - appreciate it! I just in the past wasn’t able to push/pull when I wasn’t logged into my hub account - so when I started to pull an account - yet not logged into the Hub account - freaked me out! Been a while since I pushed/pulled so wasn’t sure which update - etc., but was pulling site while try troubleshoot some other thing - and guess I was on high alert something was compromised!

Thanks so much for your kind, helpful and prompt reply.


This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.