WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Restricted User Activity

Restricted User Activity

By Steve Puddick
Download

Description

This plugin prevents unauthorized admin users from damaging or compromising your website.

A common technique for hackers is to exploit vulnerabilities in your plugins or theme and try to create an unauthorized admin user for themselves. Once they have admin access they can do whatever they want to your website. They can deface it, display inappropriate content, or carry out many other malicious acts.

Restricted User Activity adds an extra step to the process of allowing Admin users to perform actions on your website. It achieves this by explicitly specifying valid Admin user ids in the wp-config.php file. Even if a hacker was able to create an Admin user for themselves, they won’t be able to perform any actions since their user id would not be in the valid user list.

Note: This plugin requires some technical knowledge about how the WordPress wp-config.php file works and basic PHP coding. A single line of code needs to be added to the wp-config.php file.

Screenshots

  • Admin users who attempt to perform admin actions will receive this error screen if their user id is not also in the allow list
  • A sample wp-config.php file with the allow list specified
  • An additional column in the User list page to conveniently find user ids

Installation

  1. Note the user ids of authorized Admin users
  2. Modify wp-config.php file and add the RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST constant with an appropriate array value of verified Admin users. For example, define( 'RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST', array( 5, 1, 13 ) );
  3. It is recommended to move this to the mu-plugins folder to prevent malicious scripts from trying to deactivate Restricted User Activity, in an attempt to bypass this security measure
  4. Once the RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST constant has been properly set, the admin notices will disappear and the additional verification will be active

FAQ

Help, I have locked myself out of my website admin. How do I fix this?

There are a few ways of resolving this scenario:

  • Disable plugin: From the web server file system, if you rename the plugin to something like ‘restricted-user-activity_off’ WordPress won’t recognize the plugin as being installed and won’t run the plugin.
  • Remove variable: If you remove or comment out the ‘RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST’ constant from wp-config.php you will be able to log in.
  • Add your user id: If you know your user id, you can add it to the ‘RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST’ constant in wp-config.php
  • Ask another admin: You can ask another verified admin to disable the plugin

This seems like this would be a great plugin for every WordPress website. Are there any downsides to using this plugin?

This plugin does require manual management of user id list in wp-config.php. It also requires some basic technical knowledge on how to modify the wp-config.php file.

However, most websites only have a few admins and new admins are created infrequently. The extra management involved to provide additional security here will be minimally inconvenient in almost all cases.

Does this plugin allow me to create admin users directly from the wp-config.php file?

No, this just provides an extra step for verification. User ids of non existent users, or non admins will have no effect on the functionality.

Why aren’t there any admin controls to manage the admin allow list?

It is intended that users of this plugin has an appropriate level of technical knowledge, or works with someone (a web agency, freelancer, or internal IT department) that has this. An admin page which would allow non technical users to manage the list could create situations where they lock themselves or other admins out of the website.
In order for the plugin to function it requires the technical ability and knowledge to modify the wp-config.php file in the first place (just an additional single line is needed).

Where can I find the User IDs of my website’s valid Admin users?

On the user list (/wp-admin/users.php) in the admin, you will see a new column in the user table indicating each user’s id.

How do I get the admin notice to disappear?

  • The admin notice will appear until it detects the ‘RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST’ constant has been defined in the wp-config.php file with proper values.
  • If you are not interested or unable to set up Restricted User Activity, you can deactivate the plugin and the admin notices will disappear

How can I edit my wp-config.php file to create the ‘RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST’ constant?

Refer to documentation or support from your website hosting company to learn how this works.

Can you give an example of what the RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST constant should look like?

define( ‘RESTRICTED_USER_ACTIVITY_ADMIN_ALLOW_LIST’, array( 5, 1, 13 ) );. You will replace the array of admin user ids with the ids appropriate for your website.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Restricted User Activity” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Restricted User Activity” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.0

  • Initial release

Meta

  • Version 1.0.0
  • Last updated 1 month ago
  • Active installations Fewer than 10
  • WordPress version 4.4 or higher
  • Tested up to 6.9.4
  • PHP version 7.0 or higher
  • Tags
  • Advanced View

Ratings

No reviews have been submitted yet.

Add my review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum