DEV Community

Cover image for Solving WordPress Security: What If We Just Didn't Trust Admins?
Nick
Nick

Posted on

Solving WordPress Security: What If We Just Didn't Trust Admins?

#wordpress #security

The Problem: Your Clients Are Why You Can't Have Nice Things

Let me paint you a picture. It's 2:47 AM on a Saturday. Your phone buzzes. It's that client. You know the one. Subject line: "URGENT: SITE IS HACKED!!!"

You roll out of bed, fire up your laptop, and sure enough—the site is serving Viagra ads to Google. Again. This is the third time this quarter.

You know what happened. The same thing that always happens:

  1. Client demanded administrator access (they're paying you, after all!)
  2. Client used "admin123" as their password (despite your strongly worded email)
  3. Client clicked on a phishing link that looked totally legitimate
  4. Attacker logged in with those credentials (no alarms, everything looks normal)
  5. Attacker quietly installed a backdoor plugin called "Totally Legitimate SEO Booster Pro"
  6. Attacker came back later to wreak absolute havoc

Your brilliant solution of "please use a stronger password" hasn't worked for the last 47 times you've suggested it. Time for a different approach.

The Nuclear Option: What If Admin Credentials Were Useless?

Here's a radical thought experiment: What if an attacker could steal perfectly valid admin credentials and still couldn't do anything meaningful with them?

I'm not talking about 2FA or rate limiting or any of those sensible, well-adjusted security measures. I'm talking about the scorched-earth approach: Strip admin users of every dangerous capability, and make them go through YOU for everything.

Enter WP Fort Knox: a WordPress security plugin for the delightfully paranoid.

The Philosophy: Paranoia Is Just Good Planning

WP Fort Knox operates on a simple principle: If you can't trust your clients with their credentials (and you can't), don't give them the capabilities that matter.

What it blocks through wp-admin:

  • ❌ No plugin installation, updates, or deletions
  • ❌ No file editing (themes, plugins, anything)
  • ❌ No creating admin users
  • ❌ No promoting users to admin
  • ❌ The admin role doesn't even show up in dropdowns

What still works:

  • ✅ WP-CLI does everything (because YOU control WP-CLI)
  • ✅ Content management (they can still do their actual job)
  • ✅ User management (non-admin users)
  • ✅ Theme customization (that doesn't require file writes)

So when an attacker inevitably gets admin credentials, they log in and... can't do anything useful. No backdoor plugins. No malicious code injection. No new admin accounts to hide their tracks.

They're just sitting there with an admin login, unable to cause any real damage, probably questioning their life choices.

The Technical Bit: Runtime Filtering > Database Vandalism

Here's where it gets interesting for you developer types.

Version 1.0.0 (The Sledgehammer Era) actually deleted capabilities from the WordPress database. Effective? Sure. Reversible? Only if you enjoyed typing WP-CLI incantations at 3 AM. Disable the plugin and your admins were still crippled. Permanent consequences are so 2023.

Version 2.0.0 (The Velvet Rope Era) uses runtime filtering instead:

public function filter_user_capabilities($allcaps, $caps, $args, $user) {
    if ($this->is_disabled()) {
        return $allcaps;
    }

    // If this is a WP-CLI context, don't filter anything
    if (defined('WP_CLI') && WP_CLI) {
        return $allcaps;
    }

    // Remove dangerous capabilities at runtime
    $blocked_caps = [
        'install_plugins',
        'upload_plugins', 
        'update_plugins',
        'delete_plugins',
    ];

    foreach ($blocked_caps as $cap) {
        $allcaps[$cap] = false;
    }

    return $allcaps;
}
Enter fullscreen mode Exit fullscreen mode

The capabilities are still in the database, untouched. We just filter them out when WordPress checks them. Disable the plugin? Everything returns to normal automatically. No database restoration ceremonies required.

It's the same paranoia, but with fewer support tickets from yourself at 4 AM.

The Workflow: Command Line Master Race

Since everything file-related goes through WP-CLI now, here's your new life:

# Client: "Can you install this SEO plugin?"
wp plugin install wordpress-seo --activate

# Client: "I need admin access for my nephew who 'knows computers'"
wp user create nephew nephew@example.com --role=editor
# (Notice we gave him Editor, not Administrator. Oops.)

# Client: "Can you update everything?"
wp plugin update --all
wp theme update --all  
wp core update

# Client: "I can't do anything anymore!"
# You: "Working as intended 😌"
Enter fullscreen mode Exit fullscreen mode

The Leverage Play (The Quiet Part Out Loud)

Look, I'm not saying this is the reason to use this plugin, but it's certainly an added bonus: clients who mysteriously forget to pay their hosting bills also mysteriously can't maintain their own sites without you.

No payment? No updates. Updates piling up? Security vulnerabilities stacking up. Site getting slow? Can't install that caching plugin themselves.

Hard to leave your service provider without paying when you literally can't manage your own site. Just saying.

(This is a joke. Mostly. Deploy responsibly. Maybe.)

Installation: Must-Use Plugins Only

This lives in wp-content/mu-plugins/ because putting it in regular plugins would be like installing a lock inside the house. Defeats the whole purpose.

# The civilized way (WP-CLI)
wp eval '
$mu_dir = WP_CONTENT_DIR . "/mu-plugins";
if (!is_dir($mu_dir)) { mkdir($mu_dir, 0755, true); }
file_put_contents(
    $mu_dir . "/wp-fort-knox.php",
    file_get_contents("https://raw.githubusercontent.com/ngalatis/wp-fort-knox/v2.0.0/wp-fort-knox.php")
);
echo "WP Fort Knox installed. Paranoia activated.\n";
'

# Verify it's working
wp eval 'var_dump(class_exists("WP_Fort_Knox"));'
# Should output: bool(true)
Enter fullscreen mode Exit fullscreen mode

Who Is This For?

This plugin is NOT for everyone. It's for:

  • Developers managing client sites who are tired of 3 AM emergencies
  • Agencies who've cleaned up malware one too many times
  • Anyone who's had "the site is hacked" call interrupt a Friday night
  • Paranoid sysadmins (the best kind)
  • People who've accepted that clients cannot be trusted with power

Who Is This NOT For?

  • Casual WordPress users who just want a blog
  • Anyone without SSH access and WP-CLI proficiency
  • People who think "admin123" is a perfectly good password
  • Sites with responsible, security-conscious clients (do those exist?)

The Trade-Off

Yes, this is aggressive. Yes, your clients will complain they can't install that "FREE SEO BOOSTER 10000" plugin anymore. Yes, you become a bottleneck for updates.

But you know what you won't be? Up at 3 AM cleaning malware. Again.

The plugin is open source (WTFPL license—seriously), battle-tested on 100+ production WordPress installs, and aggressively maintained because I got tired of cleaning up hacked sites.

Same paranoia. Better execution. Zero regrets.

Get It

GitHub: ngalatis/wp-fort-knox

Requirements:

  • SSH/SFTP access
  • WP-CLI installed and working
  • A healthy distrust of humanity
  • The ability to ignore client complaints about "restrictive security"

Install it. Lock it down. Sleep peacefully.

Because paranoia is just good planning.

Have you dealt with a similar situation? What's your most creative solution to the "clients with admin credentials" problem? Drop a comment below. Bonus points if it involves running all WordPress admin through a Discord bot.

Top comments (0)