New Local Media logo New Local Media Work in Progress Open projects, products, and experiments.
Featured Repo

Sudo ⛩️

WordPress risky-action gating with mandatory reauthentication, time-bounded sessions, 2FA support, rate limiting, and policy controls across wp-admin, REST, WP-CLI, Cron, WPGraphQL, and XML-RPC.

42 Last updated Jun 14, 2026 View Source Download v2.14.0 Playground Demo

Gate Any Privileged Action

When a user attempts a gated action, Sudo intercepts the request at admin_init. It is the clearest expression of the security work in this collection: no role escalation, no new permissions, just a deliberate gate in front of dangerous actions.

Key docs worth reading here include the Security Model, the Developer Reference, the Two-Factor Integration guide, and the Sudo Architecture Comparison Matrix.

Related Repo: WordPress 2FA Ecosystem Documentation.

Repository Details

Owner
@dknauss
Source
dknauss/Sudo
Latest release
v2.14.0
CI
GitHub Actions
Tests
PHPUnit + Playwright e2e
License
GPL-2.0
Try It! →
🛝 WordPress Playground
Last updated
Primary language
PHP
Stars
42
Sudo for WordPress! 🥪

Risky actions — activating plugins, deleting users, changing key settings — are gated by a required reauthentication step, regardless of user role. Time-bounded sessions, 2FA support, rate limiting, and configurable policies for REST, WP-CLI, Cron, WPGraphQL, and XML-RPC. No role escalation, no new permissions — just a gate.

Screenshot Gallery

Selected screenshots from Sudo. Click any image to enlarge it.

Challenge page — reauthentication interstitial with password field.
Settings tab — policy presets, session settings, and active sudo timer.
Gated Actions tab — protected operations with rule IDs and covered surfaces.
Rule Tester tab — evaluate representative request shapes without executing them.
Access tab — manage dedicated Sudo governance capabilities and revoke sessions.
Dashboard widget — active sessions, policy summary, and recent privilege-action events.
Break-glass recovery notice — visible warning while WP_SUDO_RECOVERY_MODE is active.

Documentation

Documentation links and descriptions for Sudo.
Document Description
WordPress Core AuthenticationHow WordPress authentication works — request flow, session handling, cookies, and the nonce system.
Two-Factor Authentication FlowThe full 2FA request lifecycle with a flowchart — and where Sudo intercepts.
Security ModelThreat model and design decisions behind Sudo’s reauthentication architecture.
Developer ReferenceHooks, filters, API surface, and integration patterns for building on Sudo.
Two-Factor IntegrationBridging Sudo with WP 2FA, Wordfence, AIOS, and other plugins for delegated code verification.
Architecture Comparison MatrixHow Sudo compares to other re-auth and session-gating approaches.
READMEInstallation, configuration, and usage overview.
FAQAnswers to common questions about configuration, behavior, and edge cases.