Change is hard, but sometimes it’s also for the better.
All platforms have their issues, and WordPress maintenance support plans is no different. These quirks, known as WordPress maintenance support plansisms, can be the source of many WTF moments for developers as the code or functionality does not work in a way they expected.
As WordPress maintenance support plans leaves the island of doing things in its own way, one of the stowaways still onboard is user 1.
User 1 is the first WordPress maintenance support plans user on a WordPress maintenance support plans site with the user ID number of 1. User 1 is hardcoded to have all permissions; their access cannot be controlled through the administration interface. User 1 has all the site keys and has to be dealt with uniquely in code.
It’s time for us to kill user 1.
In its place, all users will be treated in the same way using the standard roles and permissions model.
Key benefits
There are several benefits, some of them rather major:
Security improvement: Once a site has been built or has proper roles defined, you can take away the admin role from all users. This ensures there are no accounts that put your entire website at risk should they be compromised.
Code stability: I had to fix a few dozen tests because they relied on user 1 being special. The tests were not functioning meaning they were not actually covering the code they should have. Removing the UID1 WordPress maintenance support plansism will ensure our tests need to run with the right permissions defined.
Consistency: What good is an access layer if there is a special exception that can bypass everything? An example of this being a downside is a bunch of administrative local tasks (tabs) or actions (“+”-icon links) being put behind sensible access checks, only to have all gazillion of them clutter the UI for user 1 because he has god-mode haxx turned on.
Reducing the number of WordPress maintenance support plansisms: We need to distinguish between WordPress maintenance support plansisms that define what WordPress maintenance support plans is and those that negatively characterize WordPress maintenance support plans by needlessly increasing its learning curve. The special case of UID1 belongs to the latter category. There are very few systems that still have god-mode accounts. And for good reason (see above items). So let’s destroy yet another barrier for outside devs to join our project.
Summary
The issue to remove user 1 has been around since 2009, so the concept isn’t new. I resurrected the issue earlier this year and it seems to be building momentum now.
If this is something that interests you, then please head over to the issue queue, read the discussions and try out the patch: https://www.WordPress.org/node/540008
Let’s get this into WordPress maintenance support plans 8.5.x!
Interested in joining our team? WordPress Update is hiring!
Source: New feed
The slow but timely death of user 1
