Automatic Admin Login for WordPress, A Really Bad Idea

Sometimes when you’re working with a local site, especially with existing data, and need to log in as a user and don’t want to mess with resetting the password (or there’s some weird SSO/MFA that’s getting in the way) you just want it to work.

Well, here you go. This snippet will automatically log you in to WordPress using the admin login. I don’t recommend using this anywhere near production or on a server that’s publicly available–for obvious reasons.

But anyway, here’s the bad idea:

<?php
/**
 * Force login as admin user on every request.
 */
function lol_bad_idea_force_admin_login(): void {
	wp_die( 'This is a really bad idea!' ); // Remove this, it's here to stop copy paste problems for people who don't read the code.
	// Check if user is not already logged in.
	if ( ! is_user_logged_in() ) {
		// Grab user object by login name.
		$user = get_user_by( 'login', 'admin' );
		if ( $user ) {
			// Set the current user to this admin account.
			wp_set_current_user( $user->ID );
			// Set the WordPress auth cookie.
			wp_set_auth_cookie( $user->ID );
		}
	}
}
add_action( 'init', 'lol_bad_idea_force_admin_login' );
Code language: PHP (php)

January 30, 2025

Code Sweep: A Simple Approach to a Neater WordPress User List

Feel like clearing out your spam users? With the snippet below we can make your job much easier!

/**
 * Adds a new column to the user management screen for displaying the number of comments.
 *
 * @param array $columns The existing columns in the user management screen.
 *
 * @return array The modified columns array with the new 'comments_count' column added.
 */
function emrikol_add_comments_column( array $columns ): array {
	$columns['comments_count'] = esc_html__( text: 'Comments', domain: 'default' );
	return $columns;
}
add_filter( 'manage_users_columns', 'emrikol_add_comments_column' );

/**
 * Displays the number of comments for a user in the custom column.
 *
 * @param string $output       The value to be displayed in the column.
 * @param string $column_name  The name of the custom column.
 * @param int    $user_id      The ID of the user.
 *
 * @return string              The updated value to be displayed in the column.
 */
function emrikol_show_comments_count( string $output, string $column_name, int $user_id ): string {
	if ( 'comments_count' == $column_name ) {
		$args           = array(
			'user_id' => $user_id,
			'count'   => true,
		);
		$comments_count = get_comments( args: $args );
		return number_format_i18n( number: $comments_count );
	}

	return $output;
}
add_action( 'manage_users_custom_column', 'emrikol_show_comments_count', 10, 3 );
Code language: PHP (php)

This will add a “Comments” count to the WordPress user list so you can easily determine which users you can delete:

What a sad state this blarg is in…

January 31, 2024

Stopping WordPress User Registration Spam

I’ve had a rash of user registration spam lately, and even though I’m sure the site is secure, it’s just very annoying. So I’ve whipped up a quick little hook that I’ve thrown in my mu-plugins to give me the ability to add email hostnames to a blocklist and disable user registration from them:

/**
 * Hook into the user registration process to deny registration to a blocklist of hostnames.
 *
 * @param string   $sanitized_user_login The sanitized username.
 * @param string   $user_email The user's email address.
 * @param WP_Error $errors Contains any errors with the registration process.
 *
 * @return void
 */
function emrikol_blocklist_email_registration( string $sanitized_user_login, string $user_email, WP_Error $errors ): void {
	// Validate the email address.
	if ( filter_var( $user_email, FILTER_VALIDATE_EMAIL ) ) {
		// Extract the email hostname from the user's email address and normalize it.
		$email_parts  = explode( '@', $user_email );
		$email_hostname = strtolower( $email_parts[1] );

		$blocklist = array(
			'email.imailfree.cc',
			'mail.imailfree.cc',
			'mailbox.imailfree.cc',
		);

		// Check if the email hostname is in the blocklist.
		if ( in_array( $email_hostname, $blocklist ) ) {
			$errors->add( 'email_hostname_blocked', __( 'Sorry, registration using this email hostname is not allowed.', 'emrikol' ) );
		}
	}
}
add_action( 'register_post', 'emrikol_blocklist_email_registration', 10, 3 );
Code language: PHP (php)

There’s lots of different ways you could extend this for yourself, like adding a hostname regex, a filter, or an admin screen to allow updates to the blocklist without having to make a code deploy.

May 18, 2023

Wisps, a WordPress Plugin

Last year I had a need for an editable JSON file that was retrievable via HTTP. Of course there’s a million ways that I could do this, but the easiest I thought of would be to have it inside of WordPress, since all of the people that needed access to edit the file already had edit access to a specific site. So I built a plugin.

Doing this inside WordPress already brings a lot of benefits with little to no effort:

User Management
Revision History
oEmbed Support
Permalinks
Syntax Highlighting Code Editor
Self-Hosted Data

Possibly more benefits as well, depending on the setup, such as caching.

I’ve tweaked the plugin some, and I’m almost ready to submit it to the WordPress.org Plugin Repository. I just need to do the hard part of figuring out artwork. Ugh.

Introducing Wisps:

Wisps are embeddable and sharable code snippets for WordPress.

With Wisps, you can have code snippets similar to Gist, Pastebin, or similar code sharing sites. Using the built-in WordPress code editor, you can write snippets to post and share. This has the benefit of WordPress revisions, auto-drafts, etc to keep a record of how code changes.

Wisps can be downloaded by appending /download/ to the permalink, or viewed raw by adding /view/ or /raw/. There is full oEmbed support so you can just paste in a link to a wisp in the editor and it will be fully embedded.

PrismJS is used for syntax highlighting for oEmbeds.

You can add Wisp support to your theme either by modifying the custom post type page-wisp.php template, which will continue to display Wisps in the loop securely, or you can use add_theme_support( 'wisps' ) to tell the plugin to not automatically escape the output. You can then do what you like, such as potentially adding frontend support for syntax highlighting.