Featured Repo

Sudo ⛩️

WordPress risky-action gating with mandatory reauthentication, time-bounded sessions, 2FA support, rate limiting, and policy controls across wp-admin, REST, WP-CLI, Cron, WPGraphQL, and XML-RPC.

42 Apr 28, 2026 View Source Download v2.14.0 Playground Demo

Gate Any Privileged Action

When a user attempts a gated action, Sudo intercepts the request at admin_init. It is the clearest expression of the security work in this collection: no role escalation, no new permissions, just a deliberate gate in front of dangerous actions.

Key docs worth reading here include the Security Model, the Developer Reference, the Two-Factor Integration guide, and the Sudo Architecture Comparison Matrix.

Related Repo: WordPress 2FA Ecosystem Documentation.

Repository Details

Owner: @dknauss
Source: dknauss/Sudo
Latest release: v2.14.0
CI: GitHub Actions
Tests: PHPUnit + Playwright e2e
License: GPL-2.0
Try It! →: 🛝 WordPress Playground
Last updated: Apr 28, 2026
Primary language: PHP
Stars: 42

Sudo for WordPress! 🥪

Risky actions — activating plugins, deleting users, changing key settings — are gated by a required reauthentication step, regardless of user role. Time-bounded sessions, 2FA support, rate limiting, and configurable policies for REST, WP-CLI, Cron, WPGraphQL, and XML-RPC. No role escalation, no new permissions — just a gate.

Screenshot Gallery

Selected screenshots from Sudo. Click any image to enlarge it.

Sudo challenge page showing the reauthentication interstitial with password field. — Challenge page — reauthentication interstitial with password field.

Sudo two-factor authentication step after password confirmation. — Two-factor authentication — after password confirmation, users with 2FA enabled enter their authentication code.

Sudo settings page with session duration and entry point policies. — Settings page — configure session duration and entry point policies.

Sudo gate notice on the plugins page when no sudo session is active. — Gate notice (plugins) — when no sudo session is active, a persistent notice links to the challenge page.

Sudo gate notice on the themes page. — Gate notice (themes) — the same gating notice appears on the themes page.

Sudo settings page listing all gated actions with categories and surfaces. — Gated actions — the settings page lists all gated operations with their categories and surfaces.

WordPress admin bar showing an active Sudo session with a green countdown timer. — Active sudo session — the admin bar shows a green countdown timer.

Documentation

Documentation links and descriptions for Sudo.
Document	Description
WordPress Core Authentication	How WordPress authentication works — request flow, session handling, cookies, and the nonce system.
Two-Factor Authentication Flow	The full 2FA request lifecycle with a flowchart — and where Sudo intercepts.
Security Model	Threat model and design decisions behind Sudo’s reauthentication architecture.
Developer Reference	Hooks, filters, API surface, and integration patterns for building on Sudo.
Two-Factor Integration	Bridging Sudo with WP 2FA, Wordfence, AIOS, and other plugins for delegated code verification.
Architecture Comparison Matrix	How Sudo compares to other re-auth and session-gating approaches.
README	Installation, configuration, and usage overview.
FAQ	Answers to common questions about configuration, behavior, and edge cases.