Instant switching between user accounts in WordPress.
This plugin allows you to quickly swap between user accounts in WordPress at the click of a button. You’ll be instantly logged out and logged in as your desired user. This is handy for for helping customers on WooCommerce sites, membership sites, testing environments, or for any site where administrators need to switch between multiple accounts.
Note: User Switching supports versions of WordPress up to three years old, and PHP version 7.4 or higher.
See the FAQ for information about the Switch Off feature.
I maintain several other plugins for developers. Check them out:
User Switching makes use of browser cookies in order to allow users to switch to another account. Its cookies operate using the same mechanism as the authentication cookies in WordPress core, which means their values contain the user’s user_login
field in plain text which should be treated as potentially personally identifiable information (PII) for privacy and regulatory reasons (GDPR, CCPA, etc). The names of the cookies are:
wordpress_user_sw_{COOKIEHASH}
wordpress_user_sw_secure_{COOKIEHASH}
wordpress_user_sw_olduser_{COOKIEHASH}
User Switching does not send data to any third party, nor does it include any third party resources, nor will it ever do so.
See also the FAQ for some questions relating to privacy and safety when switching between users.
User Switching aims to be fully accessible to all of its users. It implements best practices for web accessibility, outputs semantic and structured markup, adheres to the default styles and accessibility guidelines of WordPress, uses the accessibility APIs provided by WordPress and web browsers where appropriate, and is fully accessible via keyboard.
User Switching should adhere to Web Content Accessibility Guidelines (WCAG) 2.0 at level AA when used with a recent version of WordPress where its admin area itself adheres to these guidelines. If you’ve experienced or identified an accessibility issue in User Switching, please open a thread in the User Switching plugin support forum and I’ll address it swiftly.
Yes, it’s actively tested and working up to PHP 8.3.
Switching off logs you out of your account but retains your user ID in an authentication cookie so you can switch straight back without having to log in again manually. It’s akin to switching to no user, and being able to switch back.
The Switch Off link can be found in your profile menu in the WordPress toolbar. Once you’ve switched off you’ll see a Switch back link in a few places:
Yes, and you’ll also be able to switch users from the Users screen in Network Admin.
Yes, and you’ll also be able to switch users from various WooCommerce administration screens while logged in as a Shop Manager or an administrative user.
Yes, and you’ll also be able to switch users from member profile screens and the member listing screen.
Yes, and you’ll also be able to switch users from member profile screens.
Yes, mostly.
One exception I’m aware of is Duo Security. If you’re using this plugin, you should install the User Switching for Duo Security add-on plugin which will prevent the two-factor authentication prompt from appearing when you switch between users.
A user needs the edit_users
capability in order to switch user accounts. By default only Administrators have this capability, and with Multisite enabled only Super Admins have this capability.
Specifically, a user needs the ability to edit the target user in order to switch to them. This means if you have custom user capability mapping in place which uses the edit_users
or edit_user
capabilities to affect ability of users to edit others, then User Switching should respect that.
No. This can be enabled though by installing the User Switching for Regular Admins plugin.
Yes. The switch_users
meta capability can be explicitly granted to a user or a role to allow them to switch users regardless of whether or not they have the edit_users
capability. For practical purposes, the user or role will also need the list_users
capability so they can access the Users menu in the WordPress admin area.
add_filter( 'user_has_cap', function( $allcaps, $caps, $args, $user ) { if ( 'switch_to_user' === $args[0] ) { if ( my_condition( $user ) ) { $allcaps['switch_users'] = true; } } return $allcaps; }, 9, 4 );
Note that this needs to happen before User Switching’s own capability filtering, hence the priority of 9
.
Yes. User capabilities in WordPress can be set to false
to deny them from a user. Denying the switch_users
capability prevents the user from switching users, even if they have the edit_users
capability.
add_filter( 'user_has_cap', function( $allcaps, $caps, $args, $user ) { if ( 'switch_to_user' === $args[0] ) { if ( my_condition( $user ) ) { $allcaps['switch_users'] = false; } } return $allcaps; }, 9, 4 );
Notes:
9
.$args[2]
.Yes. Use the user_switching::maybe_switch_url()
method for this. It takes care of authentication and returns a nonce-protected URL for the current user to switch into the provided user account.
if ( method_exists( 'user_switching', 'maybe_switch_url' ) ) { $url = user_switching::maybe_switch_url( $target_user ); if ( $url ) { printf( '<a href="%1$s">Switch to %2$s</a>', esc_url( $url ), esc_html( $target_user->display_name ) ); } }
If you want to specify the URL that the user gets redirected to after switching, add a redirect_to
parameter to the URL like so:
if ( method_exists( 'user_switching', 'maybe_switch_url' ) ) { $url = user_switching::maybe_switch_url( $target_user ); if ( $url ) { // Redirect to the home page after switching: $redirect_to = home_url(); printf( '<a href="%1$s">Switch to %2$s</a>', esc_url( add_query_arg( 'redirect_to', rawurlencode( $redirect_to ), $url ) ), esc_html( $target_user->display_name ) ); } }
The above code also works for displaying a link to switch back to the original user, but if you want an explicit link for this you can use the following code:
if ( method_exists( 'user_switching', 'get_old_user' ) ) { $old_user = user_switching::get_old_user(); if ( $old_user ) { printf( '<a href="%1$s">Switch back to %2$s</a>', esc_url( user_switching::switch_back_url( $old_user ) ), esc_html( $old_user->display_name ) ); } }
Yes. Use the current_user_switched()
function for this. If the current user switched into their account from another then it returns a WP_User
object for their originating user, otherwise it returns false.
if ( function_exists( 'current_user_switched' ) ) { $switched_user = current_user_switched(); if ( $switched_user ) { // User is logged in and has switched into their account. // $switched_user is the WP_User object for their originating user. } }
You can install an audit trail plugin such as Simple History, WP Activity Log, or Stream, all of which have built-in support for User Switching and all of which log an entry when a user switches into another account.
Potentially yes, but User Switching includes some safety protections for this and there are further precautions you can take as a site administrator:
One or more of the above should allow you to correlate an action with the originating user when a user switches account, should you need to.
Bear in mind that even without the User Switching plugin in use, any user who has the ability to edit another user can still frame another user for an action by, for example, changing their password and manually logging into that account. If you are concerned about users abusing others, you should take great care when granting users administrative rights.
Yes, there’s a third party add-on plugin for this: Admin Bar User Switching.
Yes. When a user switches to another account, the switch_to_user
hook is called:
/** * Fires when a user switches to another user account. * * @since 0.6.0 * @since 1.4.0 The `$new_token` and `$old_token` parameters were added. * * @param int $user_id The ID of the user being switched to. * @param int $old_user_id The ID of the user being switched from. * @param string $new_token The token of the session of the user being switched to. Can be an empty string * or a token for a session that may or may not still be valid. * @param string $old_token The token of the session of the user being switched from. */ do_action( 'switch_to_user', $user_id, $old_user_id, $new_token, $old_token );
When a user switches back to their originating account, the switch_back_user
hook is called:
/** * Fires when a user switches back to their originating account. * * @since 0.6.0 * @since 1.4.0 The `$new_token` and `$old_token` parameters were added. * * @param int $user_id The ID of the user being switched back to. * @param int|false $old_user_id The ID of the user being switched from, or false if the user is switching back * after having been switched off. * @param string $new_token The token of the session of the user being switched to. Can be an empty string * or a token for a session that may or may not still be valid. * @param string $old_token The token of the session of the user being switched from. */ do_action( 'switch_back_user', $user_id, $old_user_id, $new_token, $old_token );
When a user switches off, the switch_off_user
hook is called:
/** * Fires when a user switches off. * * @since 0.6.0 * @since 1.4.0 The `$old_token` parameter was added. * * @param int $old_user_id The ID of the user switching off. * @param string $old_token The token of the session of the user switching off. */ do_action( 'switch_off_user', $old_user_id, $old_token );
When a user switches to another account, switches off, or switches back, the user_switching_redirect_to
filter is applied to the location that they get redirected to:
/** * Filters the redirect location after a user switches to another account or switches off. * * @since 1.7.0 * * @param string $redirect_to The target redirect location, or an empty string if none is specified. * @param string|null $redirect_type The redirect type, see the `user_switching::REDIRECT_*` constants. * @param WP_User|null $new_user The user being switched to, or null if there is none. * @param WP_User|null $old_user The user being switched from, or null if there is none. */ return apply_filters( 'user_switching_redirect_to', $redirect_to, $redirect_type, $new_user, $old_user );
In addition, User Switching respects the following filters from WordPress core when appropriate:
login_redirect
when switching to another user.logout_redirect
when switching off.You can report security bugs through the official User Switching Vulnerability Disclosure Program on Patchstack. The Patchstack team helps validate, triage, and handle any security vulnerabilities.
I am accepting sponsorships via the GitHub Sponsors program and any support you can give will help me maintain this plugin and keep it free for everyone.
user_switching_redirect_to
filter.editorconfig
from dist ZIPinterim-login
query parameter is present on a page other than wp-login.php.user_switching_in_footer
filter to disable output in footer on front end.lang
attribute on User Switching’s admin notice.For the changelog of earlier versions, please refer to the releases page on GitHub.