Pay attention and do not use it improperly. The is_admin() function is NOT to check is the current user is an administrator!

I saw this error many times and probably I did it myself years ago. The is_admin() function provided by WordPress as core function is not to check if the current user is an administrator or has administration capabilities, but it just checks if the context is the administration side of WordPress.

In other words, if we are inside the “/wp-admin” part of WordPress(yes, custom installations may change that path…).

So, checking is_admin() to protect special administrative functionalities is totally wrong and really really dangerous. A registered user with the lowest privileges calling an administrative page without any other protection will success.

To check the user capabilities, you must use the current_user_can(...) function. For example current_user_can('administrator').

Actually “administrator” is not a capability but a role, that is a collection of capabilities: you can learn more about this here.

Note about roles and role checking

When you use the current_user_can(...) with a role, it returns true ONLY is ALL the capabilities associated to that role are satisfied. So you may assume that if current_user_can('administrator') returns true, even current_user_can('editor') will return true.

This is not… true. Or better, in a clean WP installation is true but if a role editor is used the capabilities of an administrator could not contain all the capabilities given to editors and the  current_user_can('editor') can return false.

Similar Posts

Leave a Reply