WP Sudo adds action-gated reauthentication to WordPress so high-risk operations require fresh confirmation before they proceed.
Status: exploratory plugin, not yet production-ready. See docs/release-status.md for current stable-vs-
mainstatus and tests/MANUAL-TESTING.md if you want to help evaluate it.
WordPress has roles, capabilities, and authentication, but it has no native way to say:
this action is consequential enough that a valid session alone should not be enough.
WP Sudo adds that missing layer on the covered paths it intercepts.
It is designed to reduce risk when an attacker has:
- a stolen browser session cookie,
- access to an unattended authenticated browser,
- or a delegated request path that reaches a high-impact operation.
On those covered paths, a valid session without an active sudo window is not enough.
WP Sudo currently gates built-in operations across categories such as:
- plugin and theme management,
- user creation, deletion, and role changes,
- file editor access,
- critical option changes,
- WordPress core updates,
- export flows,
- WP Sudo settings themselves,
- selected Multisite network actions,
- and connector credential writes saved through the REST settings endpoint.
For the canonical current rule totals and surface counts, see docs/current-metrics.md.
For wp-admin flows, WP Sudo redirects the user to a challenge screen. After successful reauthentication, the original request can continue.
These receive a sudo_required error instead of silently proceeding.
WP Sudo supports configurable policies for:
- WP-CLI
- Cron
- XML-RPC
- REST Application Passwords
- WPGraphQL (when active)
Each surface can be set to Disabled, Limited, or Unrestricted.
WP Sudo is deliberately narrow. It is not:
- a replacement for WordPress capabilities,
- a firewall or exploit detector,
- a fix for arbitrary broken access control inside third-party plugin code,
- or a sandbox for malicious in-process code.
It is strongest when an attacker has a valid session but does not have an active sudo window and must cross one of the plugin's covered action paths.
Active sudo is per browser session, not site-wide.
- WordPress: 6.2+
- PHP: 8.0+
- Multisite: supported
For current release posture, supported lanes, and forward main notes, see docs/release-status.md.
- Install and activate WP Sudo.
- Go to Settings β Sudo.
- Choose a session duration.
- Review the default policies for non-interactive surfaces.
- Optionally install the bundled mu-plugin loader from the settings page for earlier hook registration.
- Test a covered action such as plugin activation or a protected settings change.
- Two Factor β strongly recommended for password + second-factor challenge flows.
- WP Activity Log or Stream β recommended if you want audit visibility from WP Sudo's action hooks.
- docs/security-model.md β threat model, boundaries, and environmental assumptions
- docs/FAQ.md β practical questions and operational caveats
- docs/release-status.md β current stable release state and forward-lane posture
- docs/developer-reference.md β hooks, filters, custom rule structure, and integration API details
- docs/two-factor-integration.md β Two Factor integration behavior
- docs/connectors-api-reference.md β connector credential gating notes
- docs/ai-agentic-guidance.md β AI and agent tooling guidance
- tests/MANUAL-TESTING.md β manual verification procedures
- docs/current-metrics.md β canonical current counts and architectural facts
- docs/ROADMAP.md β roadmap and backlog
- CHANGELOG.md β release history
- docs/sudo-architecture-comparison-matrix.md β comparison with other sudo/reauth approaches
- docs/abilities-api-assessment.md β WordPress Abilities API assessment
- docs/core-action-gate-proposal.md β longer-form core proposal and design thinking
- docs/llm-lies-log.md β verification discipline and past documentation failures
Quick local checks:
composer install
composer test:unit
composer lint
composer analyseFor full setup, integration tests, E2E workflows, and contributor expectations, see CONTRIBUTING.md.
GPL-2.0-or-later.