WordPress is_admin unsafe & On Your Site

What is WordPress is_admin and how is it on my site?

is_admin is a WordPress function used for plugins and themes, which developers misunderstand. The WordPress function is_admin sounds like code that would make sure the user is an admin, but that isn’t the case. Instead is_admin() checks to see if you’re on an administrator page. Unfortunately, WordPress designed some administrator pages, that anyone can access without being logged in. This makes is_admin useless as a security measure, which they note on the documentation page.

How is it on my WordPress site? Is this a WordPress vulnerability?

The majority of plugins developers don’t understand exactly how is_admin works, so your site is extremely likely to be unsafe. Is it a WordPress vulnerability? Yes! WordPress invented is_admin as a function for themes and plugins, despite warnings from the community, that this would confuse developers. They didn’t care or try to patch it. A vulnerability is a weakness, so by that definition, yes, WordPress created a weakness that impacts most sites. It’s worth noting that WordPress thought putting in the documentation that it is insecure was a good enough safety measure, unfortunately that isn’t the case.

How can WordPress plugin and theme developers make things only for admins?

Our favorite method to secure WordPress administrator only code is using WordPress roles and capabilites. Roles and capabilities breaks down who and what can access certain areas. Our favorite function for security is current_user_can. One capability exclusive only to admins is manage_options. If you write if(current_user_can(“manage_options”) ) this means only the admin can access that code.

If you want to write as bullet-proof code as possible, we have even stronger versions that you can write listed below.

if(current_user_can(“manage_options”) && is_user_logged_in() )

// write your code here

We handle people who don’t fit the code snippet by using the exclamation mark. In PHP the exclamation mark means “not”. So, if(!current_user_can(“manage_options”) && !is_user_logged_in() ) then you can assign a different level of access for users who aren’t admins and aren’t logged in. You can tell people to leave, after the if statement just write die(“You don’t have access to this area.”);

Now if you want a different level of access for logged in users, who aren’t admins, you write if(!current_user_can(“manage_options”) && is_user_logged_in() ) . So now they are logged in and not an admin.

What if I adopted an old plugin that uses is_admin and I don’t want to re-write the entire thing?

You can write code to fix this, you simply put if(current_user_can(“manage_options”) && is_admin() ) and now only admins can access it. This can have a negative impact on users if it used to allow users to access an administrator page.

Does this mean never to use is_admin()?

is_admin can be used to say this is an administrator page, but as long as you don’t put security measures listed above, you’re risking a security breach. Some argue, accurately that is_admin is safe if you only write certain code that no one can engage with. The problem with this argument is that the majority of people do not know what people can and can not interact with, so the best technique is to always secure anything admin side.

In conclusion, it is better to use the best security methods always, because you never know when your code will change years down the road or if it is already vulnerable.

Don’t miss out on our security tips!

We don’t spam! Read our privacy policy for more info.