Skip to content

Instantly share code, notes, and snippets.

@raamdev
Last active March 9, 2016 18:40
Show Gist options
  • Save raamdev/50532716369782f89b1e to your computer and use it in GitHub Desktop.
Save raamdev/50532716369782f89b1e to your computer and use it in GitHub Desktop.
Testing WordPress Access Control using an MU Plugin

Testing WordPress Access Control using an MU Plugin

WARNING - MU plugin file for testing purposes only.

If you don't want to use the plugin and instead want to use a coded solution, the following below could be done for testing purposes. We highly recommend on using a plugin like User Switching over this method. The plugin method is likely to offer better security and it will be easier for most people.

Must-use plugins (a.k.a. mu-plugins) are plugins installed in a special directory inside the content folder and which are automatically enabled on all sites in the installation. Must-use plugins do not show in the default list of plugins on the Plugins page of wp-admin – although they do appear in a special Must-Use section – and cannot be disabled except by removing the plugin file from the must-use directory, which is found in wp-content/mu-plugins by default.

See: http://codex.wordpress.org/Must_Use_Plugins

Create this directory and file: wp-content/mu-plugins/s2-login-links.php

If you don't have an /mu-plugins/ directory please create it. These are (MU) MUST USE plugins, which are loaded into WordPress automatically.

<?php
add_action('login_form_login', function () {
  if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') !== 0
    && !empty($_GET['log']) && !empty($_GET['pwd']))
      {
        $_POST['log'] = $_GET['log'];
        $_POST['pwd'] = $_GET['pwd'];
        $_SERVER['REQUEST_METHOD'] = 'POST';
        unset($_GET['log'], $_GET['pwd']);
      }
});

Now you may create links like this, which will automatically log you in. You might save these as bookmarks in your favorite web browser, so it makes things easy for you. Note that log is the username, and pwd is the password.

http://www.example.com/wp-login.php?log=subscriber&pwd=pass
http://www.example.com/wp-login.php?log=level1&pwd=pass
http://www.example.com/wp-login.php?log=level2&pwd=pass
http://www.example.com/wp-login.php?log=level3&pwd=pass
http://www.example.com/wp-login.php?log=level4&pwd=pass

It is also possible to specify a particular URL that you want to be redirected to upon logging in. This is accomplished with the redirect_to variable, as seen below.

http://www.example.com/wp-login.php?log=level1&pwd=password&redirect_to=http://www.example.com/profile/

Or, you can provide only the URI instead of the full URL:

http://www.example.com/wp-login.php?log=level1&pwd=password&redirect_to=/profile/

WARNING: I strongly suggest that you remove the s2-login-links.php plugin file once your site goes live. While we're not aware of any major security issues with this plugin, it DOES modify the default WordPress® login system, and you are making it possible for plain text passwords to be passed through the query string of a URL. Remove this file once you're ready for the show :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment