How to Easily Switch Between Users Securely in WordPress

How to Easily Switch Between Users Securely in WordPress

WordPress looks very different to different people - even those using the same site. If you sign up as a subscriber with a WordPress account, you don't have the ability to write posts, modify plugins, change users etc. Those are all administrator's jobs. WordPress has a role based system that allows us to assign sets of permissions to users. You can even create your own roles!

So when you're writing a plugin or making some important change to your site, it's important to know its impact on the end user. For its own internal mechanisms, WordPress respects roles quite nicely. But what if your plugin provides a feature that breaks that barrier, or leads to an error when the wrong user clicks on it? That's why it's so important to test out all your changes keeping various users in mind. Of course, we can do this by creating new users with each role, logging in as those users and checking. But that process is tedious, inefficient, and messy.

We Can't Just Log in as Existing Users

You might think that an obvious solution is to just log in as another pre-existing user. But that won't work because WordPress doesn't expose passwords in the database - even to the administrators. That's exactly how it should be. The passwords are stored in a hashed format, and only the hashes are compared. It's impossible to guess the password from the hash, and so we can't just log in as existing users either. So what's the solution? How can we test our changes, our theme, and our plugins with users of various capabilities in an easy manner? Luckily, we have a plugin for that!

Enter the User Switching Plugin

The "User Switching" plugin is a convenient way to be able to switch between users securely in WordPress. After downloading and installing the plugin, you can access this functionality by visiting the "Users" menu on the left hand side of the administration dashboard. This will show you a list of users on the system. And for each of those users, we have a new "Switch To" option as you can see in the screenshot below:

Switch Between Users Securely

If you click it, you're automatically given all the roles and permissions of that user, which replaces your own. But don't panic! You can always switch back to your original user and permissions by clicking on the link at the top of the dashboard:

Now in this case, I'm impersonating a user with the "Subscriber" role and as expected, they have the bare minimum of permissions - they can only view their own profile:

Restricting User Switching Access

The best part about the User Switching plugin, is that it only works for those who have permissions to edit users. Not just view them, but edit them. We can test this out. I first create a new role called "View Users", which gives permissions to view existing users - but not change them. I'd written an earlier tutorial on how to create new custom roles in WordPress if you want to know how I did it. Here's the code for creating the new role:

function add_role_to_view_users() {
      $role_created= add_role(
      'view_users', __( 'View Users' ),
       'read' => true,
       'edit_posts' => true,
       'delete_posts' => false,
       'activate_plugins' => true,
       'delete_plugins' => true,
       'edit_plugins' => true,
       'install_plugins' => true,
       'list_users' => true,
       'update_plugins' => true,
add_action('init', 'add_role_to_view_users');

You can see that I've assigned the "list_users" permission here. So I give this role to one of my existing dummy users:

After saving these changes, I switch to that user using the plugin. And as you can see below, they don't have the permission to switch to other users, since they can only view them and not edit them:

This way, all your permissions are secure. There's no danger of someone accidentally switching to a user because they don't have the necessary permissions. If you're developing WordPress plugins or theme, the "User Switching" plugin is a must have for testing your interface with various permissions. Don't leave home without it!

Is Your Website Slow?

A slow website can cost you visitors. Enter your website URL below to test its load speed now and find out how to make it faster:

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclosure: We receive a compensation from some of the companies whose products are presented on our website.