Skip to content

Instantly share code, notes, and snippets.

@kloon kloon/functions.php
Last active Dec 29, 2018

Embed
What would you like to do?
WooCommerce add Delete Account button to My Account page This is very dangerous functionality and can cause your whole WordPress installation to break
<?php
// Delete Account Functionality
add_action( 'woocommerce_after_my_account', 'woo_delete_account_button' );
function woo_delete_account_button() {
?>
<a href="<?php echo add_query_arg( 'wc-api', 'wc-delete-account', home_url( '/' ) ) ?>" class="button">Delete Account</a>
<?php
}
add_action( 'woocommerce_api_' . strtolower( 'wc-delete-account' ), 'woo_handle_account_delete' );
function woo_handle_account_delete() {
// we do not want the admin to delete their account
// advised to add more checks here to ensure you delete the correct account.
if ( ! is_admin() ) {
require('./wp-admin/includes/user.php');
wp_delete_user(get_current_user_id());
}
}
?>
@prepu

This comment has been minimized.

Copy link

commented Apr 28, 2014

It is an interesting option but... What about of create a disable button for admins to disable the user profile editing of "my-account" page?

@icreatesolutions

This comment has been minimized.

Copy link

commented Aug 30, 2017

There are a couple of issues with this.

  1. The check to see if a user is an admin is wrong. Your check is_admin() is to see we are currently in the back end of the site.
    This is a poorly named function, and a very common mistake.

  2. More importantly, this is very open to cross-site forgery attacks. Users can easily be sent a link that will delete their account once clicked.
    The solution to this to add a nonce.

Here is an example fix:
<?php // Delete Account Functionality add_action( 'woocommerce_after_my_account', 'woo_delete_account_button' ); function woo_delete_account_button() { $delete_url = add_query_arg( 'wc-api', 'wc-delete-account', home_url( '/' ) ); $delete_url = wp_nonce_url( $delete_url, 'wc_delete_user' ); ?> <a href="<?php echo $delete_url; ?>" class="button">Delete Account</a> <?php } add_action( 'woocommerce_api_' . strtolower( 'wc-delete-account' ), 'woo_handle_account_delete' ); function woo_handle_account_delete() { if ( ! current_user_can( 'manage_options' ) ) { $security_check_result = check_admin_referer( 'wc_delete_user' ); if ( $security_check_result ) { require( './wp-admin/includes/user.php' ); wp_delete_user( get_current_user_id() ); wp_redirect( home_url() ); die(); } } } ?>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.