BrenWP Client Safe Mode

描述

BrenWP Client Safe Mode helps you troubleshoot safely and reduce risk when handing a WordPress site to clients or non-technical users.

Safe Mode is per-user: it applies only to the currently logged-in user who enabled it. Visitors and other users are not affected.

Safe Mode (per-user) can optionally

• Block access to risky wp-admin screens (plugin/theme management, core updates, Site Health, and update actions)
• Disable file modifications (plugin/theme installs, updates, editors)
• Optionally block update/install capabilities (prevents running updates/installs even via alternative flows)
• Optionally block destructive capabilities (prevents deleting plugins/themes while Safe Mode is enabled)
• Optionally disable the built-in plugin/theme editors (capability-based) while Safe Mode is enabled
• Hide update notices
• Trim selected admin bar nodes (Updates / Comments / New Content)
• Auto-disable after a configurable number of minutes (optional)

Client restrictions (role-based + optional user targeting) can

• Optionally target a specific user account (in addition to roles)
• Hide risky menus
• Block direct access to sensitive wp-admin screens
• Disable file modifications
• Hide update notices
• Optionally limit the Media Library to a user’s own uploads (privacy on multi-author sites)
• Optionally hide common Dashboard widgets for restricted roles (UI cleanup)
• Optionally hide the Screen Options dropdown (independent toggle)
• Optionally hide the Admin Bar on the front end for restricted roles
• Optionally block Customizer access (customize.php)
• Optionally block Users screens (Users list/Add/Edit) even if the broader screen blocklist is disabled
• Optionally block Tools screens (Tools/Import/Export) even if the broader screen blocklist is disabled
• Optionally lock profile email/password changes for restricted roles (prevents self-service account takeover)
• Optionally show a dismissible 2FA security reminder notice (notice only)
• Optionally hide the Admin Bar on the front end for restricted roles

General hardening (site-wide, optional)

• Disable XML-RPC
• Disable the built-in plugin/theme editors for all users (capability-based)
• Optional settings export download (admin-only) via a nonce-protected endpoint (default OFF)

Administrators are never restricted by client restrictions. On multisite, super-admins are also excluded.

Privacy

This plugin does not send data to external services. It performs no tracking, telemetry, analytics, or “phone-home” requests.

Data stored on your site

The plugin stores the minimum required data to provide Safe Mode and optional auditing:

• Options (Settings): stored in the brenwp_csm_options option (site option). This contains your configured settings.
• Activity log (optional): stored in the brenwp_csm_activity_log option only if Activity logging is enabled. This log is bounded by Max entries and can optionally be pruned by age (Retention days).
• Operational options: internal housekeeping options such as brenwp_csm_last_settings_change and a short-lived lock key used to avoid concurrent log writes.
• User meta (Safe Mode):
  • brenwp_csm_safe_mode (on/off flag for a user)
  • brenwp_csm_safe_mode_until (optional expiry timestamp if auto-off is enabled)

Data minimization and retention

• Activity logging is disabled by default.
• The activity log does not store IP addresses and attempts to redact likely secrets from context values.
• Retention controls:
  • Max entries caps log size.
  • Retention days can automatically prune older entries (0 = disabled).
  • The Clear log action removes all log entries immediately (admin-only, nonce protected).

Privacy tools

The plugin:
* Adds suggested text to the Privacy Policy Guide (Settings → Privacy)
* Registers a personal data exporter and eraser for the Safe Mode user meta

Data deletion

On uninstall (delete), the plugin removes its options, optional log option, Safe Mode user meta, and (best-effort) the optional bren_client role if it was created by the plugin.

Security

This plugin follows WordPress hardening best practices:

• CSRF protection: all state-changing actions use POST and require a WordPress nonce.
• Authorization: privileged admin actions are gated by capability checks (manage_options by default, filterable).
• XSS defense: user-controlled data is sanitized on input and escaped on output.
• No remote requests: the plugin does not make outbound HTTP requests.
• Data minimization: the activity log is bounded, does not store IP addresses, and redacts likely secrets in log context values.

Assumptions and scope:

• The plugin enforces policies inside WordPress; it does not replace server/WAF hardening.
• Safe Mode is per-user and does not modify the site’s active plugins/themes list.

Troubleshooting

I don’t see the Safe Mode toggle in the admin bar

• Confirm the WordPress admin bar is enabled for your account.
• Confirm Enforcement is enabled in the plugin settings.
• Confirm your role is included in Who can toggle Safe Mode (or you are an administrator / multisite super-admin).

My profile email/password cannot be changed

If Restrictions → Lock profile email/password is enabled and your account is restricted, you will not be able to change your own email or password. Contact an administrator.

XML-RPC stopped working

If you rely on legacy services that require XML-RPC (some old mobile apps / integrations), disable General → Disable XML-RPC.

I get redirected with an “Access blocked” notice

A configured policy blocked a sensitive admin screen. Review:
* Restrictions → Block direct screen access (for restricted roles)
* Safe Mode → Block risky admin screens (for your account if Safe Mode is enabled)

Safe Mode is enabled but I want to turn it off

• Use the Safe Mode tab to toggle it off.
• If auto-off is enabled, it will disable automatically after the configured time window.
• If Enforcement is OFF, the UI provides a Clear stored Safe Mode button to remove the stored flag.

Developer Hooks

Filters:
* brenwp_csm_required_cap — change the capability required to manage this plugin (default: manage_options).
* brenwp_csm_presets — customize Dashboard presets (label/description/patch arrays).
* brenwp_csm_create_client_role — return false to prevent creating the bren_client role on activation.
* brenwp_csm_client_role_caps — customize capabilities assigned to the bren_client role on activation.
* brenwp_csm_remove_client_role_on_uninstall — return false to keep the bren_client role during uninstall cleanup.