One reoccurring cause of security issues in WordPress plugins is the misuse of the function is_admin(). Based on its name you might reasonably assume that it checks if someone is Administrator level user in WordPress and that seems to have tripped up lots of plugin developers. In reality it just “checks if the Dashboard or the administration panel is attempting to be displayed”. It will also “return true when trying to make an ajax request (both front-end and back-end requests)”.
How to Actually Check if Someone is an Administrator
If you need to check is someone is an Administrator you have several options.
One option is to use the function is_super_admin(), which will:
Determine if user is a network (super) admin. Will also check if user is admin if network mode is disabled.
You can also use the function current_user_can(), which can used to check the role of the user:
or you can check if user has a capability, usually a check for the manage_options capability is used:
Checking a capability has the advantage that it will still work even if someone is using a non-standard roles in their WordPress installation.