4.2 Access Manager Limitations
WordPress does not have a solid foundation for access control
The Access Manager plugin attempts to fill that gap by using existing WordPress hooks and other mechanisms to control access to KB Articles and KB Categories. However, due to lack of a proper WordPress access control system, the following list shows some of the limitations. Additional information is in following chapters of this document.
WordPress security is about risk reduction, not risk elimination. Because there will always be risk, security will remain a continuous process, requiring frequent assessment of attack vectors. WordPress has no plugin that solves all its security limitations and we feel our solution is one of the most comprehensive of all available plugins.
Access Manager limitations:
- Inability to block access if your website has a plugin that directly accesses WordPress database tables instead of using default WordPress functions and hooks.
- Inability to block access to plugins that expose KB content when not using WordPress function at all or in an intended way.
- KB Content is not protected if it is exported from WordPress by plugins or other means. Tags are not protected at this time.
- Download links to PDFs, documents, and media are not protected.
Website visual builders are tools that allow editors and administrators to edit their site content directly on the front end outside of the default WordPress editor. There are two types of such builders:
- Plugins such as Beaver Builder, Divi, and Visual Composer
- A new core WordPress project called Gutenberg that aims to replace the current WordPress
Website builder plugins typically save KB article data outside of the regular post database tables. Therefore some builder plugins could expose article data if working outside of WordPress hooks and functions. We have not detected any compromises but cannot guarantee the security when using builders as they manipulate the data outside of our control. If this is a concern then use the default WP editor for your KB articles.
Once Gutenberg builder project is released we will verify and update Access Manager accordingly to be compatible with this upcoming core feature.
Due to inherent security limits in WordPress, and other factors listed in section 4.0, we recommend using Access Manager only for content that does not contain personal information or critical confidential information. Therefore Access Manager is best suited to:
- Restrict access to Premium website content.
- Restrict access to non-critical internal information.
- Separate content between groups in your organization.
- Prevent employees from modifying non-critical content.
Access Manager should not be used to protect personal, confidential, and sensitive information.
For all details read the full disclaimer here.