WordPress Plugin: User Switching

Latest version: 1.3.0– Released 09/11/2017:

Description

This plugin allows you to quickly swap between user accounts in WordPress at the click of a button. You’ll be instantly logged out and logged in as your desired user. This is handy for test environments where you regularly log out and in between different accounts, or for administrators who need to switch between multiple accounts.

Features

  • Switch user: Instantly switch to any user account from the Users screen.
  • Switch back: Instantly switch back to your originating account.
  • Switch off: Log out of your account but retain the ability to instantly switch back in again.
  • It’s completely secure (see the Security section below).
  • Compatible with WordPress, WordPress Multisite, BuddyPress and bbPress.

Security

  • Only users with the ability to edit other users can switch user accounts. By default this is only Administrators on single site installs, and Super Admins on Multisite installs.
  • Passwords are not (and cannot be) revealed.
  • Uses the cookie authentication system in WordPress when remembering the account(s) you’ve switched from and when switching back.
  • Implements the nonce security system in WordPress, meaning only those who intend to switch users can switch.
  • Full support for administration over SSL (if applicable).

Usage

  1. Visit the Users menu in WordPress and you’ll see a Switch To link in the list of action links for each user.
  2. Click this and you will immediately switch into that user account.
  3. You can switch back to your originating account via the Switch back link on each dashboard screen or in your profile menu in the WordPress toolbar.

See the FAQ for information about the Switch Off feature.

Screenshots

  1. The <em>Switch To</em> link on the Users screen

    The Switch To link on the Users screen

  2. The <em>Switch To</em> link on a user's profile

    The Switch To link on a user's profile

Installation

FAQ

What does “Switch off” mean?

Switching off logs you out of your account but retains your user ID in an authentication cookie so you can switch straight back without having to log in again manually. It’s akin to switching to no user, and being able to switch back.

The Switch Off link can be found in your profile menu in the WordPress toolbar. Once you’ve switched off you’ll see a Switch back link in the footer of your site.

Does this plugin work with WordPress Multisite?

Yes, and you’ll also be able to switch users from the Users screen in Network Admin.

Does this plugin work with BuddyPress?

Yes, and you’ll also be able to switch users from member profile screens and the member listing screen.

Does this plugin work with bbPress?

Yes, and you’ll also be able to switch users from member profile screens.

Does this plugin work if my site is using a two-factor authentication plugin?

Yes, mostly.

One exception I’m aware of is Duo Security. If you’re using this plugin, you should install the User Switching for Duo Security add-on plugin which will prevent the two-factor authentication prompt from appearing when you switch between users.

What capability does a user need in order to switch accounts?

A user needs the edit_users capability in order to switch user accounts. By default only Administrators have this capability, and with Multisite enabled only Super Admins have this capability.

Can regular admins on Multisite installs switch accounts?

No. This can be enabled though by installing the User Switching for Regular Admins plugin.

Can I switch users directly from the admin toolbar?

Yes, there’s a third party add-on plugin for this: Admin Bar User Switching.

Are any plugin actions called when a user switches account?

Yes. When a user switches to another account, the switch_to_user hook is called with the new and old user IDs passed as parameters.

When a user switches back to their original account, the switch_back_user hook is called with the new (original) and old user IDs passed as parameters. Note that the old user ID can be boolean false if the user is switching back after they’ve been switched off.

When a user switches off, the switch_off_user hook is called with the old user ID as a parameter.

Download

This plugin requires WordPress version 3.7 or later.

Download the plugin on WordPress.org. Any comments, questions, queries, suggestions, complaints, etc, please leave a comment!

95 thoughts on “WordPress Plugin: User Switching

  1. Very handy indeed. I think I will make something with this and my “No Login” plugin for test sites.
    And very clean code, too. Me likes.

  2. using wp 2.7.1 and in the edit profile palce, there is no switch user link as shown above in the screenshot :-( what could be wrong?

  3. Thanks for the plugin BUT I defintely don’t have any “Switch To” link anywhere as explained above !! I am runing wp 2.7.1 and I installed the plugin through the Admin > Plugin Install panel with no errors !

    What is going on ???

  4. AYN: Are you sure you’re logged in as an admin and you’re in the editing screen for a user? (You won’t see the link in the second screenshot unless you’re using a development version of WP 2.8). The link will be right under the option for enabling comment moderation keyboard shortcuts.

  5. Hi John

    Thanks for your quick reply.

    I AM logged in as Admin and I am in the editing screen of my Admin profile and cannot see the switch link under the enabling keyboard ….. I wished I was missing it somewhere but unfortunately I am not ! … OKay I got it :

    Sorry,….. I just found it. I was expecting to find the link on my Admin Edit profile page and from there to be able to choose wich user to switch to. I didn’t recognise how it actually works till luckily checked my Editor account and saw the link there. I clicked it and switched to my Editor account happily. I expected though that I would be able to switch back to my Admin account from there but it doesn’t seem available. I had to logout of the Editor account and then sign in again to my Admin account. Is that how it works ? Am I missing something here ?

    Thanks again for the good work and your kind response.

    Cheers

  6. I should just correct/ answer myself to my previous question about switching back. Sorry that I was a hurried one. I understand after paying more attention to the description that ONLY Admins can switch accounts so: only if I am switching between diffrent Admin accounts I would be able to switch back without having to login. Correct me John please if I’m I got anything wrong here.

    That feature may be handy if feasible though i.e. to make the plugin remember me in whatever account type I switched to and give me a link to switch back perhaps only to that account I came from. A good idea ?!

    Best regards and thanks again

  7. AYN: You’re right in that switching back is not currently possible, but it’s a planned feature as you can see in the ‘Todo list’ above. Thanks for your interest in my plugin!

  8. OH thank you thank thank you. This will save a lot of headaches from utilizing 2 different computers and logging in and out of the same machine. Can’t wait to install! A very useful plugin for developers indeed.

    All the best,
    Jayson

    http://twitter.com/askjayson

  9. Version 0.2 released, adding the ability to securely switch back to the administrator account you originally switched from. Good times.

  10. Nice one bro!

    Now I can switch back again I’d say this is a pretty invaluable plugin. No more sitting there with Firefox and (ugh) IE open at the same time…

  11. Hi Federico. The only change in 0.2.1 is to prevent the “Switch back to…” message showing up when it shouldn’t. You do not need to update to this version if you don’t want to.

    John.

  12. This plugin is simple and cool, i love it!!! Thanks for your efforts

  13. Hi John

    This plugin looks great but I woudl really like the follwoing functionality you have listed under your to do list here:

    “A custom capability (eg. ‘switch_users’) which can be granted to lower level users so they can switch accounts.”

    Any ideas when you might do this?

    I am currently trying to hack your code to implement this exact functionality on a WordPress MU / BuddyPress site so if you wanted to work toegether on this then drop me a mail.

  14. Andy: I haven’t given much thought to the custom capability as I’ve not come across a need for it yet. Using a plugin such as Role Scoper or Role Manager I’m sure it would be easy to grant certain users a custom capability of ‘switch_users’. It would then simply be a case of changing the references to ‘edit_user’ in the User Switching plugin to ‘switch_users’.

    Give me a shout if you have any problems and I’ll see about adding it natively to the plugin.

  15. A custom capability (eg. ‘switch_users’) which can be granted to lower level users so they can switch accounts.

    It would be cool if the plugin could play nice with Justin Tadlocks new capability plugin ( Members ).

    Tadlocks Members plugin ( beta ) has a filter hook on the available caps (see functions-admin.php) if you want to integrate User Swithing specific capabilities.

    http://justintadlock.com/archives/2009/09/07/beta-test-my-upcoming-user-role-and-content-management-plugin
    http://justintadlock.com/downloads/members.zip

  16. John: Thanks for the suggestion. The idea already crossed my mind when I read about Justin’s plugin. I’ve not had a chance to test it out yet.

    The main reason I’ve not added the custom capability option to User Switching yet is that it requires a bit more thought. For example, if a lower level user has the ‘switch_users’ capability, they would need a screen in the admin area from which they could switch users from, as only Administrators by default have access to the Users menu.

    In addition, should these lower level users with the switch_users capability be allowed to switch to any other account regardless of its role? Or should, for example, an Editor only be allowed to switch to other Editor accounts and lower accounts?

    I’ll give it a bit more thought and see what I come up with.

  17. It doesn’t work with wordpress 2.9 i think, when switching to another use you get taken to the login page…

  18. I have found this plugin to be virtually indispensable for theme development, included this plugin in my article

  19. Hey, I guess I never got around to thanking you the fantastic bit of functionality that this plugin offers.

    I use it both on regular WP installs, as well as on MU setups and it works great.

    Thanks again!

  20. 0.2.2 is out:
    * Respect the current ‘Remember me’ setting when switching users.
    * Redirect to home page instead of admin screen if the user you’re switching to has no privileges.

  21. Any plans of incorporating an audit trail? If using the audit trail plugin, what user’s info will be trapped making the change, the admin or the user’s?

  22. Phil: I used the Audit Trail plugin once ages ago, but not recently. It’s probably easy enough to add an audit trail item that logs when a user switches users (I’ll have a look at it at some point), but from then on any action will always be recorded as the user that has been switched to.

  23. Hi,
    I’m having problems with you plugins. I used it in the past and it worked quite well. But these days, I am mananging a rather big site with WP 3.0, and a lot of plugins. I can switch to another user but I CANNOT SWITCH BACK to my admin status. Doesn’t work. I have to log out and relog as admin.

    Any idea ?

  24. Same problem: no way to switch back and no options “remember me” ??

  25. OK ! Found where the option was. Sorry for the comments, you can delete them. And thanks for the plugin.

  26. Well, when you switch to a new profile, you got the admin page with a link saying “go back to previous profile” (or something like that). I use S2member plugin that redirect the members so I could not see the link.

  27. Two ideas for WP3.1+ features:

    1) Add a “switch back” link to the admin bar
    2) Have an optional setting to configure a “Become user” link in the admin bar for the site admin. That was the admin can easily switch back and forth between their administrative persona and normal user profile.

  28. Thanks for the suggestions belg4mit. I had already implemented #1 while WordPress 3.1 was in beta, but it stopped working at some point before 3.1 was finally released. I’ll look into it and update the plugin.

    John

  29. Version 0.3.2 released.

    * Fix the ‘Switch back to’ menu item in the WordPress admin bar (WordPress 3.1+).
    * Fix a formatting issue on the user profile page.

  30. Thanks a ton for this plugin, one of my clients needed this exact feature, works great!

    After hearing Ozh mention the coding was clean, I read the whole script, very clean and hardly any wasted code. The only thing I wasn’t too keen on was the use of the softer ‘and’ instead of ‘&&’.. but that’s just me.

    The only feature I would like to have would be the ability to switch back to the original account that has the correct caps and user_level faster. That is a real tricky proposition security-wise, but I had a few ideas that may or may not help you if you decide to try for it.

    Looking at the way the cookies are created, using the username, substr of hashed pass, and time..

    Backup the target accounts password, then replace with your password. That way you can generate the correct authorization cookies for any user because you know their username and password. So the only thing that changes when all users have the same password hash, is the username. Thats where if you just replaced the target users password with yours, you would always be able to gen the right hash.

    Along those lines, you could create copies of the entire users and usermeta tables, and then replace all of the users password hashes to a known value. Then you could have wordpress use those temporarily by defining this:


    /** CUSTOM_USER_TABLE and CUSTOM_USER_META_TABLE are used to designated that the user and usermeta tables normally utilized by WordPress are not used, instead these values/tables are used to store your user information. */
    define('CUSTOM_USER_TABLE', $table_prefix . 'my_users');
    define('CUSTOM_USER_META_TABLE', $table_prefix . 'my_usermeta');

    At the least, you could create the cookies for each user that way, and all you need is a way to quickly switch the cookies you use. And, you are still the only one who knows your admins real credentials (as long as you don’t still send the admin cookies while logged in as another user, which they might be able to see through logs or xss), so it should prevent a backhack.

    It’s an interesting excercise to think about, but oh ya I’m on the clock!

  31. After the last update (version 0.4.1) it seems to be problems with WP 3.1.2, after switching to another user. The admin bar will not show, and link “Your name” does not open the submenu, to reveal “Your profile”.

    No problems until I switch user.

  32. Hi Knut, I’ve just tested the plugin in WordPress 3.1 and all works as expected, including the admin bar link. Remember that if you switch to another user they may not have the admin bar active (you can see their setting from the Profile screen). Remember too that the ‘My name’ link at the top right of the screen isn’t a dropdown menu in 3.1, this was only added in 3.2.

    You should really update to the latest version of WordPress (3.2, and 3.3 is right around the corner) as the plugin won’t be actively supporting older versions.

  33. Thank you for the reply and testing.

    What I meant, was that I use it with WordPess 3.2.1. Sorry for the typo.

    I have now found that the problem is incompatibility with another plugin, the only one I did not deacktivate while testing.

    I will now dig in deeper, and find out which of the two plugins really doing something wrong, before requesting it fixed.

    Again, sorry.

  34. The thing is sorted out, and fixed. No problem at all with this excellent plugin. Tank you for your patience, and very useful plugin.

  35. I am not able to switch back. I can not find the switch back button. It is not in my footer.

  36. Judd: The switch back link is shown on every screen in the admin area, and in the user profile menu in the admin toolbar. The switch back link only appears in the footer when you use the Switch Off function.

  37. Damn that’s nice code!

    Thanks for all the code comments :)

    I was hired to do a security and performance audit of your plugin. Out of around 50 plugins I checked, yours comes out on top.

  38. I love this plugin, but after the most recent update, the “Switch to” option has disappeared from my Buddypress members page (it’s still available from the WP dashboard, though).

    Is this a bug in my installation or a planned change? I only ever used Switch to from the members page – having to go to the dashboard first, then clicking on “users”, then “switch to” is a bit of a pain.

  39. Stephen, the latest update should have in fact fixed the bug you’ve reported. The button was intentionally removed from the members listing page due to formatting issues, but the button should still be available on individual member profile pages.

    There’s a bug in BuddyPress which was causing the button to not appear, but it looks like my attempt to get around it doesn’t always work.

  40. Ahaaa… Thanks for the reply. Actually it was the members listing page that I meant (sorry). That was the only place I used it. Unfortunately it’s not appearing on the individual members’ profile pages either.

    BTW there was never any formatting issue on our listing page (using PlatformPro). Is there anyway this option can be brought back? Doing it via Dashboard>>Users is such a pain I’ve created dummy accounts with various rights levels so I can quickly log in & out to check things. Which I’d rather not do. Great work, anyway – all the praise above is due!

  41. Is there a way to check to see if the user switching in use? I can check if the plugin is active with is_plugin_active() but I am looking to see if the current user is using the plugin.

    A client is using a shopping cart and has manual checkout turned off for everyone except admin. They would like to be able to switch to a user to push an order through so they can track each users order history but still want the ability to manually checkout.

    If there is a way to check if the current user has used your plugin to log in? If there is I think I can work this out.

    Thanks for the plugin, it is great and an amazing time saver for testing sites.

    Alex

  42. Alex: I’m currently working on a small update to the plugin which adds a few tweaks. I’ll add something which allows you to determine if the current user has logged in normally or switched in using User Switching.

  43. Fantastic! I have found a work around (I think) but it is not very elegant and checking the plugin would be beautiful (and much simpler).
    Thanks for the fast response.
    Alex

  44. Alex: Have a look at the new current_user_switched() function in User Switching 0.6. It tells you whether or not the current user switched into their account.

  45. Hi John

    Tres handy plugin, however, might you be happy to add an options page that allowed us to select whether the redirect on switching back to our own user went to the same page or the users page. As we are managing over 100 users I would far prefer switchback goes to the user list as I tend to be testing users views repetitively!

    Cheers :) Happy to help if nesc…

  46. Thanks for the feedback Xavier!

    Previous versions of the plugin did redirect you back to the Users screen, but myself and a few other users found that it’s more intuitive and more useful to be redirected back to the page where you switched back from. I won’t be adding an options screen for this preference because I like to keep the plugin as lightweight as possible.

    One plugin which might help you is Toolbar Quick View. This gives you an admin toolbar menu which contains – among other things – a link to the Users screen. This means it’ll only be one click back to the Users screen after you’ve switched back from wherever you are on the site. Hope this helps!

    John.

  47. No worries. Do you have a link to version 0.6 for those that want it to work that way?
    ..or is that a really annoying question ;)
    thanks again..

  48. Hi Ryan,

    In order to switch into another user’s account, you need the ability to edit that user. The reason for this of course is that switching into a user account gives you the ability to edit that user’s account. Therefore, the ability to switch to a user needs to mirror the ability to edit that user.

    Regular Admins on multisite don’t have the ability to edit other users. This is why they can’t switch.

    I’ve written some code that allows regular admins to switch users (but not switch into super admin accounts) but you should be aware that using it effectively allows regular admins to edit other users’ accounts by way of switching in to them.

    Hope this helps.

    John

  49. Thanks for your help.

    I don’t get any errors now, but it isn’t showing the “Switch to” link for the regular admins :(

  50. I decided to try this on a brand new install and it worked fine :)
    I’m not sure why the other one didn’t work.

  51. I deactivated both plugins on the original site, then reactivated them and it worked prefectly :)

    Thanks for all your help John! Much appreciated.

  52. Interesting. I wonder if WP loads plugins in the order they were activated. I was always under the impression they were loaded in alphabetical order according to their filename, but maybe not. Glad you’ve got it sorted.

  53. Relying on plugins loading in a certain order never really works well. All I know is that it’s definitely based on the order they’re stored in the database. I assume that order is controlled by the order you activate them in, but I’m not certain.

  54. I have found this plug-in immensely useful in testing out patches and bugs. Unfortunately, it seems that due to your use of standard WP nonces in the switching URI, it is not possible to switch to a specific user more than once per “two ticks” (up to 24 hours). Is there anyway you could reset the nonce when switching back? Or use a more time-sensitive nonce e.g; http://www.stephenharris.info/2013/nonces-that-are-used-only-once/

    1. Hi Stephen,

      What’s giving you the impression you can only switch once per two ticks? A nonce in WordPress is valid for two ticks (24 hours) and can be used repeatedly, just as you say in your article. You can switch to a given user as many times as you like within that period using the same nonce.

      Do you have a custom nonce system on your site that’s doing something different?

      John

      1. It’s an observation actually. Once I’ve become a user, then returned to myself, future attempts to become them simply result in me being sent to the dashboard with a message of “Switched to admin (admin).” I do not have any nonce customization. The point of the link was to suggest a way to create fresh nonces, since they seem to somehow become tainted once used.

        1. Very odd. Not sure what to suggest if I’m honest. That’s not how nonces work, so I don’t know why you’re seeing that behaviour. Maybe try disabling any other plugins you might have active and see if the problem disappears?

          1. I tracked the problem down to another module that had a hook on init to start a session of one did not exist; Pippin’s password protection.


            if(!session_id()){
            add_action( 'init', 'session_start');
            }

            It uses the default priority, as does user switching, but the plugins name comes earlier in the alphabet… Since user switching is a rather low level thing, it would seem to make sense for it to have a higher priority (smaller number). This could save others from having to tweak arbitrary plugins they might be using.

  55. When a user has “No role on this site” then switching user will be unsuccessful. I suggest not showing the switch link for users that have no role, because they cannot log in at all.

    This is very different form the role “Subscriber”, since they can log in. Without any role the switch link should not be shown for this user. On multisite this is very relevant.

    1. Thanks for the comment Knut.

      A user with no role can still log in (both on Multisite and on single site installs) but they can’t access the admin area. I’ve previously tested the behaviour of User Switching on Multisite for users with no role and it works as expected (you get redirected to the home page after switching).

      I just tested this on a single site install and the behaviour is the same. When you switch you get redirected to the home page (because the user does not have the read capability).

      Are you seeing different behaviour? If so it might be due to another plugin on your site. Can you confirm for me?

      John

      1. Thank your for the quick reply!

        Yes, “cannot log in” was incorrect. They just can’t access the admin at all, but are redirected to front, as you say. That was exactly what I experienced. So “User Swiching” even lets you test that.

        Closed enhancement request, invalid.

  56. Hello !,

    First, thanks a lot for this great plug !.

    But :)
    I just did the update today and it don’t work any more .
    When i switch to a user it doesn’t switch to this specific user.

    1. I use this function in function.php


      function redirect_nonadmin_fromdash(){

      if($_SERVER['PHP_SELF'] == '/wp-admin/async-upload.php'){

      /* allow users to upload files */

      return true;

      } else if ( ! current_user_can( 'administrator' ) && '/wp-admin/admin-ajax.php' != $_SERVER['PHP_SELF'] ) {
      wp_redirect( home_url() );
      exit;
      }

      }

      add_action( 'login_form_login', 'redirect_nonadmin_fromdash' );
      add_action( 'admin_init', 'redirect_nonadmin_fromdash', 1 );

  57. Hi John

    Absolutely love this plugin and goes in every DEV install. Was wondering thou if it would be possible to load the user switching functionality on the front end, lets say in a select field? Is it possible to reuse the plugins code and just switch the user?

    Thanks for the reply,
    regards Marcel

    1. The plugin’s main function for switching users is switch_to_user(). If you take a look at the plugin you’ll see it’s quite well documented. It’d be fairly simple to write your own form which displayed a list of users and allowed you to switch to one using that function.

  58. Hi, I just installed an update for User Switching and am now getting a message that says that I do not have sufficient permissions. Bu accessing the main page of the site, I can see that the switch actually occurred, but I do not have access to the dashboard through the user account that I have been switched two. So to recap, firstly, I am getting the whitish screen stating I don’t have the right permissions. Secondly, when I do go to the home page, there is no Howdy message and dashboard for the user I’m switching to. Any suggestions would be very much appreciated. Thanks in advance.

    1. Firstly, what role does the user you’re switching to have? If they can’t access the dashboard you should be redirected to the home page after switching.

      Secondly, do you have a plugin or custom code on your site that alters the location that users get redirected to after they log in?

  59. Like the plug-in. But I note I am getting database errors as below.

    Any suggestions? Thanks

    {snip}

      1. OK Thanks – I will redirect my support query.

        One other – User Switching was working perfectly. Now I sometimes end up on the log-in window. I think this has started happening since I changed the name of my log-in page (recommended security step). Now User Switching takes me to the log-in dialogue on the renamed log-in page. Before it just switched me. Any suggestions? Thanks again.

  60. I would like to add posts as the switched to user and keep a trace of the original user as an extra field in the post. is that possible ?

    1. Yep. There’s a function in the plugin called current_user_switched() which returns the originating user object if the current user switched (or false if not). You could store the ID from this object in a post meta field.

      1. That’s very good news, thanks John. Excuse me one more question, what about the capabilities I mean what if I want to keep the same permissions and access to certain post types of the original user unchanged when switching to another user even if the other user is a subscriber

        1. In that case you’re trying to do something that User Switching isn’t intended for. If you’re trying to retain the same capabilities then you’re not really switching user. You’d be better off changing the current user’s role instead.

          1. Look it’s a complicated project but I took a look at the code and I would like to thank you very much. I can get started from here

Comments are closed.