Early on in our Security Plugin development we identified a flaw with all existing WordPress security plugins – they lacked protection against tampering of the security plugin itself.
2 years ago we introduced the 1st version of our Admin Access system – it prevented anyone without the access key from changing the security plugin settings.
With our latest release, we’ve done 2 things:
- We’ve renamed the feature from “Admin Access” to “Security Admin”, and
- We’ve added a new option – to block the creation, editing, and deletion of any WordPress administrator users.
This short article will quickly run you through both of these.
Why did we change the name?
This is quite simple to explain. We were never happy with the name “Admin Access” since it didn’t quite say what it was.
There’s no obvious difference between “Admin Access” and an “administrator accessing” the dashboard. It also didn’t quite flow smoothly when describing its feature sets… it always seemed to need clarification.
We’re hoping that ‘Security Admin’ will be more intuitive going forward. What are your thoughts on the change?
New Option: Block Administrator User Modification
WordPress didn’t make it easy to create restrictions on the creation, promotion, demotion, and deletion of administrator users. However, with our new security option enabled, this is what we’ve been able to achieve:
- No user, administrator or otherwise, may create any new user with the administrator role.
- No user, administrator or otherwise, may promote an existing user to the administrator role.
- No user, administrator or otherwise, may demote an existing administrator user from the administrator role.
- No user, administrator or otherwise, may delete any user that currently has an administrator role.
Exception: Any plugin code may programmatically by-pass these restrictions.
Why is this option necessary and when would you use it?
An extra layer of protection to the creation and modification of administrator users makes it more difficult for unauthorized users to gain permanent and unrestricted site access.
This can apply to a hacking attempts that gains administrator access for any sort of reason. It can also protect against malicious users who intend to remove administrator access from other site admins.
Generally, site admins are not fluid – they don’t change very often – so this option shouldn’t interfere with day-to-day operations.
You can now also grant administrator access to anyone knowing that they cannot modify your site access privileges, or that of any other admin user.
Be careful though, the ‘Security Admin’ system is limited to a single access key. You will need to communicate with fellow site administrators on the changes you’ve made if you put this in-place – you will be restricting one of their abilities.
How to enable this option
This option is only available from Security Plugin version 4.13.0
This option is found within the ‘Security Admin’ module and is not enabled by default.
See the screenshot:
When this option is enabled and while you are not authenticated with the plugin’s security admin system, you will be restricted from modifying any administrator users (except yourself).
You will be presented with a notice that warns you of this restriction and an link to remove it.
To remove the restriction all you need to do is enter your Security Admin Access Key and you’re good to go.
See screenshot below:
Feedback and Suggestions
As always, we value your suggestions and your feedback on this feature and any others. Please do leave us comments below if you have any suggestions and ideas.