Database access and security
Does Spotlight have access to the database of your WordPress site once it's installed and activated?
This is a question we've come across from a few developers, so here's the breakdown of how Spotlight works in this regard.
All WordPress plugins have access to the entire database. Plugins are written in the PHP programming language, just like WordPress. They also run in the same process as WordPress and share the same environment, RAM, and storage. For all intents and purposes, once a plugin is activated, it becomes a part of WordPress. Anything WordPress can do, a plugin can also do.
Most plugins use the database for storing settings, transient values, user content, metadata, etc. Security concerns arise when a plugin’s interactions with the database are outside the scope of the plugin, or when a plugin sends sensitive data that is taken from the database to some external source without the user’s knowledge or consent. This is often called “tracking” or “spying”.
Spotlight does neither of these.
The proof of this is in the source code of the plugin, which can be downloaded by anyone. We don't expect anyone to audit every plugin they intend to use, and that's why we rely on our good standing and strong reputation within the WordPress and software communities for people to trust that our intentions are good.
If absolutely necessary, you may also install a database monitor to keep an eye on what happens in your database, as well as a network monitor to see what data is entering and leaving your WordPress site.