10up / 10up-experience
The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up's best practices
Installs: 422 610
Dependents: 0
Suggesters: 0
Security: 0
Stars: 135
Watchers: 58
Forks: 29
Open Issues: 26
Type:wordpress-plugin
pkg:composer/10up/10up-experience
Requires
Requires (Dev)
- 10up/phpcs-composer: dev-trunk
- dev-develop
- 1.16.5
- 1.16.4
- 1.16.3
- 1.16.2
- 1.16.1
- 1.16.0
- 1.15.0
- 1.14.0
- 1.13.1
- 1.13.0
- 1.12.1
- 1.12.0
- 1.11.2
- 1.11.1
- 1.11.0
- 1.10.3
- 1.10.2
- 1.10.1
- 1.10.0
- 1.9.1
- 1.9.0
- 1.8.2
- 1.8.1
- 1.8.0
- 1.7.3
- 1.7.2
- 1.7.1
- 1.7
- 1.6.2
- 1.5
- 1.4
- 1.3
- 1.2
- 1.1
- dev-fix/user-roles-array
- dev-master
- dev-feature/monitor-remove-local-envs
- dev-feature/coding-standards-refresh
- dev-fueled
- dev-monitor
- dev-dependabot/npm_and_yarn/npm_and_yarn-security-group-c79ee48a69
- dev-fueled-sso
- dev-feature/sm-logging
- dev-feature/sso
- dev-feature/automatically-deactivate-10up-accounts
- dev-release/1.7.3
- dev-update/branch-name
- dev-feature/disable-users
This package is auto-updated.
Last update: 2025-10-06 08:13:19 UTC
README
The 10up Experience plugin configures WordPress to better protect and inform our clients, aligned to 10up’s best practices. It is not meant as a general-distribution plugin and does not have an open development process, but is available for public perusal.
Requirements
- PHP 7.2+
- WordPress 4.7+
Installation
Composer
The recommended way to use this plugin is with Composer.
composer require 10up/10up-experience
Git
For development purposes, you can clone the plugin into wp-content/plugins and install the dependencies.
git clone git@github.com:10up/10up-experience.git && cd 10up-experience && composer install && npm install
Archive
If you need a built version of the plugin to install via the dashboard, download and extract the plugin into wp-content/plugins. Make sure you use the master branch which contains the latest stable release.
Activation
Activate the plugin via the dashboard or WP-CLI.
wp plugin activate 10up-experience
Updates
Updates use the built-in WordPress update system to pull from GitHub releases.
Functionality
REST API
Adds an option to general settings to restrict REST API access. The options are: show REST API to everyone, only show REST API to logged in users, and show REST API to everyone except /users endpoint. By default, the plugin requires authentication for the /users endpoint.
Configured in Settings > Reading.
Authors
Removes 10up user author archives so they aren't mistakenly indexed by search engines.
Gutenberg
Adds an option in writing to switch back to Classic Editor.
Configured in Settings > Writing.
Plugins
Adds a 10up Suggested Plugins section to the plugins screen. Warns users who attempt to deactivate the 10up Experience plugin. Outputs a notice on non-suggested plugins tabs warning users from installing non-approved plugins. If DISALLOW_FILE_MODS is on, update notices will be shown in the plugins table.
Post Passwords
Password protecting post functionality is removed both in Gutenberg and the classic editor. This can be disabled in the writing section of the admin.
Configured in Settings > Writing.
Monitor
Sends non-PII information about the website back to 10up including plugins installed, constants defined in wp-config.php, 10up user accounts, and more.
Configured in Settings > General or Settings > Network Settings if network activated.
Authentication
By default, all users must use a medium or greater strength password. This can be turned off in general settings (or network settings if network activated). Reserved usernames such as admin are prevented from being used.
Configured in Settings > General or Settings > Network Settings if network activated.
*Password strength functionality requires the PHP extension mbstring to be installed on the web server. Functionality will be bypassed if extension not installed.
Additionally, the plugin checks passwords against the Have I Been Pwned database to ensure they haven't been compromised in a data breach. This can be disabled by defining the constant TENUP_EXPERIENCE_DISABLE_HIBP as true.
Constants
TENUP_EXPERIENCE_DISABLE_HIBP
Define TENUP_EXPERIENCE_DISABLE_HIBP as true to disable Have I Been Pwned password checking.
Headers
X-Frame-Origins is set to sameorigin to prevent click jacking.
Note: 10up admin branding can be disabled by defining the constant TENUP_DISABLE_BRANDING as true.
There are 2 filters available here:
tenup_experience_x_frame_options- (default value)SAMEORIGINcan be changed toDENY.tenup_experience_disable_x_frame_options- (default value)FALSEcan be changed toTRUE- doing so will omit the header.
SSO
10up Experience includes 10up SSO functionality. This feature can be enabled or disabled in Settings > General. It is enabled by default. There are some useful constants related to this functionality:
TENUPSSO_DISABLE- Define this astrueto force disable SSO.TENUPSSO_DISALLOW_ALL_DIRECT_LOGIN- Define this astrueto disable username/password log ins completely.SUPPORT_MONITOR_ENABLE- Overrides the settings to enable Support Monitor. Possible valuesyesandno.SUPPORT_MONITOR_API_KEY- Overrides the settings to Support Monitor API key.SUPPORT_MONITOR_SERVER_URL- Overrides the settings to Support Monitor server url.
Activity Log
The Activity Log tracks key actions taken by logged in users and stores them in Monitor. Note that no PII is stored. This feature can be disabled by defining TENUP_DISABLE_ACTIVITYLOG as true.
Logged Actions
profile_updateRuns when a user profile is updated. Example log message: "User 1 profile updated."set_user_roleRuns when a user's role has changed. Example log message: "User 1 role changed from editor to administrator."updated_user_metaRuns when certain user metadata has changed. Example log message: "User 1 meta updated. Key: nickname."user_registerRuns when a new user is registered. Example log message: "User 1 registered."deleted_userRuns when a user is deleted. Example log message: "User 1 deleted."wp_loginRuns when a user logs in. Example log message: "User 1 logged in."activated_pluginRuns when a plugin is activated. Example log message: "Plugin wordpress-seo is activated."delete_pluginRuns when a plugin is deleted. Example log message: "Plugin wordpress-seo" is deleted.switch_themeRuns the theme changes. Example log message: "Theme switch to twentytwentytwo from twentytwentyone."deleted_themeRuns when a theme is deleted from the site. Example log message: "Theme twentytwentyone is deleted."updated_optionRuns when one of a specified set of core options changes. Example log message: "Optionusers_can_registeris updated."added_optionRuns when one of a specified set of core options is added. Example log message: "Optionusers_can_registeris added."
Filters
tenup_experience_logged_user_meta_changes
Filters the user meta keys whose changes should be logged.
tenup_support_monitor_logged_option_changes
Filters the option keys whose changes should be logged.
tenup_support_monitor_log_item
Filters whether to log a message.
tenup_support_monitor_max_activity_log_count
Filters how many log items to store. Items are stored in array saved to the options table. Default is 500.
Constants
TENUP_DISABLE_ACTIVITYLOG
Define TENUP_DISABLE_ACTIVITYLOG as true to disable Activity Log.
Environment Indicator
To enhance user awareness and minimize the risk of making unintended changes, 10up Experience includes a visual indicator integrated into the admin bar. This feature clearly displays which environment (e.g., development, staging, production) the user is currently working in.
Comments
10up Experience includes a feature to disable comments across the site. This feature can be enabled or disabled in Settings > General. It is disabled by default.
On top of disabling the comment form, this feature removes the following:
- Comments from the admin menu.
- Comment blocks from the post editor.
- Comments from the admin bar.
Constants
TENUP_DISABLE_COMMENTS
Define this as true to force disable comments or false to enable comments from a config file.
Setting this constant will disable the UI for enabling/disabling comments in the admin.
Filters
tenup_experience_disable_comments
Filters whether to disable comments. Default is false.
Defining this filter will disable the UI for enabling/disabling comments in the admin.
tenup_experience_disable_comments_disallowed_blocks
Filters the list of blocks that should be disallowed when comments are disabled. This is useful when core adds new blocks that aren't covered by the default list.
The default list of disallowed blocks is:
core/comment-author-namecore/comment-contentcore/comment-datecore/comment-edit-linkcore/comment-reply-linkcore/comment-templatecore/commentscore/comments-paginationcore/comments-pagination-nextcore/comments-pagination-numberscore/comments-pagination-previouscore/comments-titlecore/post-commentscore/post-comments-formcore/latest-comments
Support Level
Active: 10up is actively working on this, and we expect to continue work for the foreseeable future including keeping tested up to the most recent version of WordPress. Bug reports, feature requests, questions, and pull requests are welcome.
Changelog
A complete listing of all notable changes to the 10up Experience Plugin are documented in CHANGELOG.md.
Like what you see?