How It Is

Mailbag: Access and Security

Not everyone needs to be an admin. The path of least resistance is often the wiser one.

In the midst of a longer set of forum posts about how to not have a plugin updated because you’ve made edits to the plugin, someone said that their issue was that the people on the site updated.

Now please don’t say that we should give them minimum privileges …

Actually. That’s precisely what I’m going to say.

1) Do not make anyone an admin whom you do not explicitly trust.

2) As the admin, test all plugins before updating.

3) If a plugin is constantly releasing unstable updates, stop using the plugin and look for alternatives.

3a) But make sure it’s not your theme or a conflict with another plugin first. It may be something else’s fault.

4) Stop editing plugins directly.

5) Treat every upgrade as a serious thing.

Now. I know why the guy doesn’t want to hear “You’re doing it wrong.” But the truth is this. If you give people who are irresponsible enough to update things the ability to update things, they’re gonna update things!

True story? On one of our company sites, one of the guys has access to update all the things. He did and broke the site. I jumped in, told him “Don’t do that, please, ask me next time.” and I fixed it. And then I went through everyone who had admin access and locked their accounts down to Editors. The exceptions were the people who legitimently needed that access.

And yes, WordPress needs more granular user roles/controls. I want that user to have access to administer all posts and add new users. I don’t want him anywhere near the plugins and themes. But I evaluated the risk vs reward of his access, and since he’s educatable, I felt it was safe to leave him there. Plus he knows right away to call me if he breaks things.

That goes back to the trust aspect, though. I trust him.

Trusting people to have access to aspects of your site reflect your understanding of what that access means. Making everyone and their brother an admin is reckless, not to sugar coat the situation. Only people who must be admins should have admin access. It’s really that simple. And if you insist there’s no other way around it, then you’re not paying attention closely enough.

Make a list of what your users need to do. Not what they want, what they need. And be serious here. Do they need to update plugins or do you do it for them in a reasonable timeframe? Do they really need to be able to add users? Remember though, we’re asking what they need, not you. Go to WordPress’ list of Roles and Capabilities and take note of what they actually can do.

Now I said before, the roles and controls and capabilities of WordPress leave a lot to be desired. But thankfully WordPress has add_cap and you can adjust roles.

Here’s how Isabel Castillo did it:

function isa_editor_manage_users() {
    if ( get_option( 'isa_add_cap_editor_once' ) != 'done' ) {
        // let editor manage users
        $edit_editor = get_role('editor'); // Get the user role
        update_option( 'isa_add_cap_editor_once', 'done' );
add_action( 'init', 'isa_editor_manage_users' );

You only need to do that once since the roles and caps are locked into the database (see above, the controls need to be better). Still. Now your editors can edit users. Brilliant.

So yes. I will tell you you’re doing it wrong, especially when you’re doing it in a way that is dangerous and risky in the long run.

Don’t let the toddlers try to drive the car.