A Problem

I often use WordPress as a CMS and have a couple of sites with many users contributing. I rarely go a week without an email or phone call from a user who needs help posting. When it comes to remote support there is no substitute for seeing what they’re seeing.

However, if you want to login to the site with their user account you have to either ask for their password (tacky & insecure) or reset their password temporarily (amateurish & annoying).

A Solution

Say goodbye to the days of tacky, amateurish, insecure & annoying. The Skeleton Key plugin allows WordPress administrators (level 10 users) to login to the site as any user by authenticating with the user’s login and their own (administrator) password. Once logged in, you are that user. Handy, huh?

***UPDATE***
The plugin has already gotten some TLC and it is now more performant and secure. We are now requiring admins to login with their own login followed by a “+” followed by the user’s login. This will cut down on the chances of people guessing administrative passwords. In a weird, corny way the “+” is your digital skeleton key… so to login as user “joeblow” as an admin I would provide:

username = admin+joeblow
password = [the admin's password]
/***UPDATE***

An Explanation

This plugin is dead simple. It hooks into WordPress’ authentication chain using 2.8′s new ‘authenticate‘ hook. The Skeleton Key’s function sets its priority higher than the built-in authentication functions and checks the password against the admin account provided before the “+” in the database. If the check fails it returns an error and the next function in the chain is called (like normal). If it matches, the Skeleton Key hands back the user account tied to the login and you’re good to go.

The source is on GitHub, like usual. Feel free to grok it & provide feedback if interested.

What’s New

1. Basic Security

Thanks to Apokalyptik, the back-end PHP scripts now require a shared secret from the console before executing any code. As he so eloquently described it:

As is the plugin is negligently insecure (but outstandingly cool and useful and I want this plugin to be installable, thus the patch)

Even though the increased security is a huge improvement from what we had before, I still wouldn’t run the plugin on production servers.

2. Tab-Completion

This is the biggest functional improvement to WPC by far. It was a feature that I wanted to release the plugin with initially, but it didn’t make the cut because I wanted to release early. The best thing about tab-completion is that it allows you to explore the PHP & WP environments in a very fulfilling way. If you haven’t tried the plugin with this feature, please give it a go.

3. Small Things

WPC now handles command history with more grace. Using the up-arrow puts the cursor at the end of input, you can’t walk off the end of the history buffer, and a few other improvements to the code quality.

Some Press

Thanks to Doug Neiner for giving WPC a solid review on the Fuel Your Coding blog, and for contributing to the project.

What’s Next

I’m not really sure.

I’ve considered adding in-console documentation for PHP & WP functions, but not sure if people would use it much. I also have a command-line version of the console which I could spit shine and include with the plugin, but that might not be too attractive either. Maybe the plugin is as good as done. Any ideas or suggestions?

Awesome!! Well, kinda.

The problem is that most plugin developers don’t include release notes with each version, rendering the awesomeness of no effect. For instance, I have no idea what I’m getting by upgrading the Google XML Sitemaps plugin. This is what you see after clicking the “View Version 3.1.4 Details” button:

The closest thing offered there is a link to the Changelog, which opens in a new tab/window. Totally lame. Check out the Changelog. It is filled with totally useful information. Make it accessible!

Slap your users in the face with reasons to upgrade!

Contrast that with what is displayed to potential upgraders (not sure if that’s even a word) of my WordPress Console plugin:

Two things to notice:

1. WordPress provides a special tab called Changelog that will be loaded right inside this window by adding a Changelog section to your plugin’s readme.txt. USE IT!! (more readme info)
2. For some people, even clicking the Changelog tab is asking too much of them. Including what’s new since the last release of your plugin right in the description is a big win for everybody involved.

There are many plugins that handle this just fine, but many more that do not. My hope is that other WordPress plugin developers will adopt this practice, to the benefit of their users and the community as a whole.

I love Ruby and Rails, but being a contract developer means I go where the money is and recently that has been in WordPress plugin development. I enjoy developing for WordPress, but I’ve been spoiled by Rails and I often long for an interactive console for WordPress.

As a result, I’ve been developing (and using) a WordPress plugin built for WordPress developers. It provides an in-browser console where you can “play” with the code you’re working on.

If a picture is worth 1,000 words, this screencast will be worth at least a bazillion of ‘em:

So there you have it. It is currently version 0.1.0 (very young) and I would love some help to make it even more awesome. The source code is hosted on GitHub, so please fork away and I’d be happy to merge in your changes.

Or, simply go download the plugin and try it.

*NOTE*
In developing this plugin, I leaned on a few other open-source projects for inspiration (and in some cases, code). They are:

• PHP_Shell
• htsh

I thank the authors for opening their source.

WordPress 2.7′s dashboard is a huge improvement over previous versions, but when you’re running a site with many users sometimes you just want to simplify things. Enter Clean WP Dashboard.

This plugin adds a simple administration page called “Dashboard Settings” which allows you to select/de-select which of the default WordPress widgets are available on the dashboard.

Source code is on my GitHub account, as usual.