4.1 Access Manager Integrity
Access Manager is the most advanced access control plugin on the market for KB content protection. However, due to WordPress limitations and depending on your website setup, the Access Manager effectiveness will never be 100 percent. You can take steps to increase its ability to protect your content by implementing as many of the following measures as possible:
- Block access to the whole website:
- User needs to login to access it AND/OR
- User comes from a specific IP address
- Use only WordPress default editors or Gutenberg builder
- Install only trustworthy plugins. If using non-KB plugins, regularly test that they do not affect Access Manager’s ability to protect KB content.
The following are required ongoing maintenance tasks for Access Manager
- Keep all WordPress plugins and themes up-to-date.
- Install only plugins that do not directly access, store, and expose KB content (instead of typical WordPress hooks and functions).
- Restrict and control access to WordPress database that KB is stored in.
- Implement effective industry-standard security practices and policies.
- Host KB on a secured web server, for example WPEngine.
- Report defects early.
- Minimize the time during which Access Manager is NOT active. An inactive Access Manager plugin cannot actively protect your content, although that content should still be inaccessible
When installing a new plugin:
- Verify that the plugin does not directly access, store, and expose KB content but rather uses WordPress hooks and functions.
- Check that if the plugin is accessing Custom Post Types, it does not expose KB content such as slugs, KB Categories, KB Articles, KB Main Page, and KB Admin screens.
- If you see any access issues, contact our support team.
Types of plugins that could circumvent access restrictions:
- Visual builders such as Beaver Builder, Divi, and Visual Composer
- WordPress export and backup plugins
- Shortcodes or Widget Plugins that pull data directly out of the database with their own custom queries
Verify that Access Manager restrictions work:
- Login as a user who has limited access to your KB.
- Test For Non-Authorized Access to KB Content:
- Test access without logging in and test with WordPress Subscriber and Editor.
- Test access to KB Categories and KB Articles.
- Test WordPress and KB Search.
- Test KB Category archive page.
- Test breadcrumbs, site maps, and other access points.
- Test custom plugin content output.
- Test what users can see on the front end, including KB Main and Article Pages and Category pages to see if they are correct.
- Test the user access in back-end administration screens. (https://codex.wordpress.org/Administration_Screens), including KB All Articles pages, Categories pages, and Access Manager configuration.
- Repeat this for each Group and role.