WordPress Plugin Security: User Capabilities
One aspect of plugin security which we need to take notice when developing WordPress plugin is the user roles and their capabilities. WordPress can have many user and they can have specific roles with different capabilities.
The basic roles in WordPress area:
- Super Admin
Each of this roles have different capabilities which we restrict their actions in WordPress.
This restriction can be implemented in plugin by this function
This coupled with the user capabilites as the parameter can restrict functions only to be run by the coresponding users.
For example in basic WordPress installation only users which registered as Super Admin, Administrator, Editor or Author can publish post. If we restrict functions with
current_user_can( 'publish_posts' )
then Contributor and Subscriber will be restricted.
For the official explanation of 'current_user_can' function and more complete Roles and Capabilities mappings you can go to the references below.
User Roles and Capabilities (link)