[wp-hackers] WordPress as CMS (was: wordpress security)

Andrew Nacin anacin at gwhatchet.com
Wed Oct 21 21:06:40 UTC 2009


Press This requires the edit_posts capability. But since no one should have
any _posts capabilities:

 add_filter('user_has_cap', 'cms_remove_post_caps');
 function cms_remove_post_caps($caps) {
    foreach ($caps as $cap=>$v)
        if (substr($cap,-5)=='posts') unset($caps[$cap]);
    $remove = array('manage_categories','moderate_comments');
    foreach ($remove as $cap)
        unset($caps[$cap]);
    return $caps;
 }

That right there removes Posts and Comments from admin menus, knocking a few
items off Stephen's checklist.


More information about the wp-hackers mailing list