<b>Least-Privilege Role SOP</b>
Most sites hand out Administrator like candy. Map roles to actual jobs.
— Step 1: List every user and current role. Anyone you can't name the job for gets demoted.
— Step 2: Content writers get Author, never Editor. Editors can't install or edit plugins by default — keep it that way.
— Step 3: Cap total Administrators at two humans, both yours.
— Step 4: Remove the <code>edit_files</code> capability site-wide via <code>DISALLOW_FILE_EDIT</code> — no theme/plugin editor in admin.
— Step 5: Audit custom roles from old plugins; deleted plugins leave orphaned capabilities behind.
— Step 6: Verify with a capability viewer that no role exceeds its mandate.
Do this on every new site before launch.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>Least-Privilege Role SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.