VeloCMSStart Free Trial
Getting Started·5 min read·

Understanding plugin permissions — what you are granting

Every plugin in the marketplace declares the data and APIs it needs. Read this before installing to understand what access you're granting.

When you install a plugin from the VeloCMS marketplace, you see a permissions screen listing what that plugin will be able to access. This is not a formality — read it. A poorly scoped plugin can read your posts, access your member list, or send emails on your behalf.

The four permission levels

  • Read-only — can read your posts, pages, and public metadata. Cannot write or delete anything. Low risk.
  • Read-write — can create, update, and delete posts and pages. Use only for plugins you fully trust (editorial tools, AI assistants).
  • Member access — can read your member list (names, emails, subscription status). Use only for CRM, analytics, or email tools you trust. GDPR applies to these plugins.
  • Settings access — can read and write your blog settings. Use only for automation or deployment tools. Treat the same as admin access.

Reviewing permissions before installing

On the plugin detail page, scroll to the Permissions section before clicking Install. The permissions are listed plainly in English — no technical jargon. If a comment widget requests 'Member access', ask yourself why it needs your subscriber list. If the answer isn't obvious from the plugin's purpose, don't install it.

Plugins developed by third parties are not audited by VeloCMS on every update. If a plugin's permissions change in an update, you'll see a permissions re-consent screen before the update applies. Do not skip this screen.

Revoking plugin access

Go to Admin → Plugins → [plugin name] → Settings → Revoke access. This immediately invalidates the plugin's API tokens. The plugin can no longer make any calls to your blog's data. If the plugin is an installed extension that modifies your admin UI, it will stop functioning until you re-authenticate or uninstall it.

VeloCMS plugins vs third-party plugins

Plugins listed as 'by VeloCMS' are developed and maintained by the VeloCMS team and are audited on every release. Third-party plugins display the developer's name and contact email. For third-party plugins, check the developer's website and privacy policy before granting Member access — your subscriber data is your responsibility under GDPR.