Insights on Ruby, Git, jQuery, Cappuccino, WordPress, Debian and OS X. Please subscribe if you find something useful!

A WordPress Skeleton Key

Posted: October 29th, 2009 | Author: Jerod | Filed under: Projects, WordPress | Comments

File this one under “scratching my own itch”

A Problem

I often use WordPress as a CMS and have a couple of sites with many users contributing. I rarely go a week without an email or phone call from a user who needs help posting. When it comes to remote support there is no substitute for seeing what they’re seeing.

However, if you want to login to the site with their user account you have to either ask for their password (tacky & insecure) or reset their password temporarily (amateurish & annoying).

A Solution


large_SkeletonKeyP
Say goodbye to the days of tacky, amateurish, insecure & annoying. The Skeleton Key plugin allows WordPress administrators (level 10 users) to login to the site as any user by authenticating with the user’s login and their own (administrator) password. Once logged in, you are that user. Handy, huh?

***UPDATE***
The plugin has already gotten some TLC and it is now more performant and secure. We are now requiring admins to login with their own login followed by a “+” followed by the user’s login. This will cut down on the chances of people guessing administrative passwords. In a weird, corny way the “+” is your digital skeleton key… so to login as user “joeblow” as an admin I would provide:

username = admin+joeblow
password = [the admin's password]
/***UPDATE***

An Explanation

This plugin is dead simple. It hooks into WordPress’ authentication chain using 2.8’s new ‘authenticate‘ hook. The Skeleton Key’s function sets its priority higher than the built-in authentication functions and checks the password against the admin account provided before the “+” in the database. If the check fails it returns an error and the next function in the chain is called (like normal). If it matches, the Skeleton Key hands back the user account tied to the login and you’re good to go.

The source is on GitHub, like usual. Feel free to grok it & provide feedback if interested.

  • Nice and informative post. Something cool to learn. Thanks for sharing this nice post.
  • scribu
    Have you tried the User Switching plugin? It does the same thing, basically.
  • No I had never heard of it. I always search for existing plugins that provide solutions for my needs before I write my own, but this one didn't hit my radar.

    Oh well, I guess we have two options now ;)
  • So, what if two admins have the same password? Or... does it not matter because regardless they are an admin?
  • Yah, two admins with same password shouldn't cause any problems because the first one to match will simply return the desired user account and let you pass.

    Now, this plugin really does let admins login as ANYBODY, including other admins. If you don't trust your admin users, don't use this plugin. Or better yet, don't let them be admins ;)
blog comments powered by Disqus