A WordPress Skeleton Key
Posted: October 29th, 2009 | Author: Jerod | Filed under: Projects, WordPress | View CommentsFile this one under “scratching my own itch”
A Problem
I often use WordPress as a CMS and have a couple of sites with many users contributing. I rarely go a week without an email or phone call from a user who needs help posting. When it comes to remote support there is no substitute for seeing what they’re seeing.
However, if you want to login to the site with their user account you have to either ask for their password (tacky & insecure) or reset their password temporarily (amateurish & annoying).
A Solution

Say goodbye to the days of tacky, amateurish, insecure & annoying. The Skeleton Key plugin allows WordPress administrators (level 10 users) to login to the site as any user by authenticating with the user’s login and their own (administrator) password. Once logged in, you are that user. Handy, huh?
***UPDATE***
The plugin has already gotten some TLC and it is now more performant and secure. We are now requiring admins to login with their own login followed by a “+” followed by the user’s login. This will cut down on the chances of people guessing administrative passwords. In a weird, corny way the “+” is your digital skeleton key… so to login as user “joeblow” as an admin I would provide:
username = admin+joeblow
password = [the admin's password]
/***UPDATE***
An Explanation
This plugin is dead simple. It hooks into WordPress’ authentication chain using 2.8′s new ‘authenticate‘ hook. The Skeleton Key’s function sets its priority higher than the built-in authentication functions and checks the password against the admin account provided before the “+” in the database. If the check fails it returns an error and the next function in the chain is called (like normal). If it matches, the Skeleton Key hands back the user account tied to the login and you’re good to go.
The source is on GitHub, like usual. Feel free to grok it & provide feedback if interested.
So, what if two admins have the same password? Or… does it not matter because regardless they are an admin?
Yah, two admins with same password shouldn't cause any problems because the first one to match will simply return the desired user account and let you pass.
Now, this plugin really does let admins login as ANYBODY, including other admins. If you don't trust your admin users, don't use this plugin. Or better yet, don't let them be admins
Social comments and analytics for this post…
This post was mentioned on Twitter by sant0sk1: A WordPress Skeleton Key: http://bit.ly/2nOluk...
Have you tried the User Switching plugin? It does the same thing, basically.
[...] the original: A WordPress Skeleton Key | blogt0sk1 Comments0 Leave a Reply Click here to cancel [...]
No I had never heard of it. I always search for existing plugins that provide solutions for my needs before I write my own, but this one didn't hit my radar.
Oh well, I guess we have two options now
[...] Read more: A WordPress Skeleton Key [...]
[...] de ese usuario.Pero hoy en día ha salido a la luz un plugin que trabaja como una llave maestra: The Skeleton Key. El fin de este plugin es que el administrador, usuario con privilegio del nivel 10, pueda [...]
Nice and informative post. Something cool to learn. Thanks for sharing this nice post.
Nice and informative post. Something cool to learn. Thanks for sharing this nice post.
…
Skoro eto sluchitsya …
Thanks for this great plugin, I wrote a couple of comments on WP's plugin repo.
Beautiful! I have a WordPress help website and often need to go in to someone's account to add their email questions as forum posts. This makes that far, far easier. Thanks!
Wow – now that’s perspective! Please more like this!