Watrix Login as User

Description

Watrix Login as User lets administrators sign in as any other user (impersonation) and return to their own account with a single click. It is useful for support requests, reproducing user-reported issues, debugging role and capability problems, and verifying the experience of subscribers, customers or editors without sharing passwords.

Key features:

  • Adds a “Switch to” row action on the Users screen (localised as “切り替え” in Japanese).
  • Adds a “Switch to %s” button on the user profile edit screen.
  • Displays a persistent red warning bar in both the admin and the front-end while an impersonation session is active.
  • The warning bar contains a one-click link back to the original administrator account.
  • Switching and switching-back are protected by nonces and a signed cookie (HMAC-SHA256, AUTH_KEY-derived) so the original user id cannot be forged.
  • A bounded audit log (latest 200 entries) is stored in a single options row.

Security model:

  • Only users who are administrators AND hold the manage_options capability can switch (manage_network_users on multisite).
  • The original (acting) user id is stored in a signed, Secure / HttpOnly / SameSite=Lax cookie.
  • Nonce verification, self-switch prevention and clean-up on user deletion are implemented.
  • If the AUTH_KEY salts required for signing are missing, the plugin fails closed and the feature is disabled.

日本語

概要

Watrix Login as User は、管理者が他のユーザーになりすまして WordPress を操作する「代理ログイン」機能を提供します。サポート対応・動作確認・権限デバッグなどに有用です。

主な機能

  • ユーザー一覧の各行に「切り替え」リンクを追加(英語ロケールでは “Switch to”)
  • ユーザー編集画面にも「%s に切り替え」ボタンを追加
  • 代理ログイン中は管理画面・フロント画面の上部に赤い警告バーを常時表示
  • バー内のリンクで元の管理者アカウントへ即時復帰
  • 切替・復帰は nonce + 署名付き Cookie (HMAC-SHA256) で保護
  • 監査ログをオプションテーブルに最小限保存(最新 200 件)

セキュリティ

  • 切替を許可するのは administrator かつ manage_options 保有者のみ(マルチサイト時は manage_network_users)
  • 元ユーザー ID は AUTH_KEY で署名された Secure / HttpOnly / SameSite=Lax Cookie に保存
  • nonce 検証・自身への切替防止・ユーザー削除時のクリーンアップを実装
  • AUTH_KEY 系 SALT が未設定なら fail-closed で機能を無効化

インストール

  1. プラグインを wp-content/plugins/watrix-login-as-user/ にアップロード
  2. WordPress 管理画面の「プラグイン」から有効化
  3. 「ユーザー一覧」または個別のユーザー編集画面で「切り替え」を実行
  4. 代理ログイン中は画面上部の赤いバーから元のアカウントに戻れます

Screenshots

Installation

  1. Upload the plugin to wp-content/plugins/watrix-login-as-user/ or install it from the WordPress plugin directory.
  2. Activate the plugin from the Plugins screen.
  3. Go to Users and use the “Switch to” row action, or open a user’s profile and use the “Switch to %s” button.
  4. While impersonating, use the red warning bar at the top of the screen to return to your original account.

FAQ

Who can switch users?

Only users who are administrators AND have the manage_options capability (manage_network_users on multisite). The capability is re-checked on every switch and on every restore.

Is my password ever sent to the impersonated session?

No. Switching uses WordPress’ own authentication cookies (wp_set_auth_cookie). No password is ever read, written or transmitted by this plugin.

What happens if I deactivate the plugin while impersonating?

The impersonation cookie is cleared on deactivation, so the next request will not sit on a stale impersonation state.

Where is the audit log stored?

In a single wp_options row (watrix_lau_audit_log), capped at the most recent 200 entries. Uninstalling the plugin removes this option completely.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Watrix Login as User” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Watrix Login as User” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.3

  • Rename: plugin renamed from “Watrix User Switching” to “Watrix Login as User”; slug / text domain changed from watrix-user-switching to watrix-login-as-user to avoid confusion with the existing User Switching plugin.
  • Internals: constant, function, class, option, cookie, nonce and query-parameter prefixes updated accordingly (WATRIX_LOGIN_AS_USER_*, WATRIX_LAU_*, watrix_login_as_user_*, watrix_lau_*, WatrixLoginAsUser\, watrix_lau_original, watrix_lau_audit_log, ?watrix_lau=...).
  • i18n: translation catalogue renamed to watrix-login-as-user-ja.po/.mo.
  • No functional or behavioural changes.

1.0.2

  • Compliance: pass WordPress.org Plugin Check 2.0.0 with zero errors and zero warnings.
  • readme.txt: rewritten in English; “Tested up to” bumped to 7.0; Japanese description retained below.
  • i18n: removed redundant load_plugin_textdomain() call (WP 4.6+ auto-loads translations for WP.org-hosted plugins).
  • uninstall.php: prefixed local variables ($watrix_lau_option_name, $watrix_lau_site_ids, $watrix_lau_site_id).
  • i18n: moved /* translators: */ comments to be immediately adjacent to the __() call.
  • nonce warnings: annotated the admin_init and admin-notice dispatchers (read-only status checks; the actual state-changing actions still verify nonces).
  • Packaging: added .distignore so .git, .gitignore, README.md and .DS_Store are excluded from the distribution ZIP.

1.0.1

  • i18n: switched UI strings to English source + translation catalogues. Japanese locale displays “切り替え” / “%s に切り替え”; other locales show “Switch to” / “Switch to %s”.
  • Security (H-1): removed the fallback signing secret. The plugin now fails closed when AUTH_KEY salts are not configured.
  • Public failure codes coarsened; detailed reasons now live only in the audit log (S-4).
  • Added uninstall.php to fully remove the audit-log option on plugin deletion (S-6).
  • Deactivation hook clears any in-flight impersonation cookie (S-6).
  • Reworked the user-edit screen UI to use a single dedicated form-table instead of a stray <tr> injection (L-4).
  • Standardised on output-time escaping (S-1).
  • Fixed mismatched /* translators: */ placeholders (L-1).
  • Bundled a compiled Japanese .mo file.

1.0.0

  • Initial release.