16 May

Security Tip for Developers: Make Sure To Check a User’s Capabilities When Processing an Admin AJAX Request

One common cause of security issues with WordPress plugins that we continue to see happening is a failure to properly check on whether a user should be able to use admin AJAX functions they are sending requests to. Since the wp_ajax_ hook makes the AJAX function accessible to any logged in user, without checking their capabilities even a Subscriber level users can access functions meant only for Administrators.

In most cases you will also want to make sure you are protecting against cross-site request forgery (CSRF) in those ajax requests as well.

13 May

Security Tip for Developers: The is_admin() Function Doesn’t Tell You If Someone is an Administrator

One reoccurring cause of security issues in WordPress plugins is the misuse of the function is_admin(). Based on its name you might reasonably assume that it checks if someone is Administrator level user in WordPress and that seems to have tripped up lots of plugin developers. In reality it just “checks if the Dashboard or the administration panel is attempting to be displayed”. It will also “return true when trying to make an ajax request (both front-end and back-end requests)”.

How to Actually Check if Someone is an Administrator

If you need to check is someone is an Administrator you have several options.

One option is to use the function is_super_admin(), which will:

Determine if user is a network (super) admin. Will also check if user is admin if network mode is disabled.

You can also use the function current_user_can(), which can used to check the role of the user:


or you can check if user has a capability, usually a check for the manage_options capability is used:


Checking a capability has the advantage that it will still work even if someone is using a non-standard roles in their WordPress installation.