Description
WindCodex SwitchGuard is the most secure free user switching plugin for WordPress and WooCommerce. Switch into any lower-privilege user account in one click – no passwords, no account resets, no risk.
Whether you’re a support agent reproducing a customer bug, a WooCommerce store owner checking an order as the buyer, or a developer testing member-only content, SwitchGuard gives you instant, safe access to any user account and brings you straight back when you’re done.
🔒 Security-first design. Every switch is nonce-verified, role-hierarchy-enforced, and recorded in a signed session cookie. You can never switch into an equal-or-higher privilege account by mistake.
✅ Everything In The Free Version
One-Click Switching
* Switch from the Users list with a single click
* Switch from any user profile edit screen
* Switch from WooCommerce order screens – jump straight into the customer’s account
* Admin bar quick search – find any user by name or email and switch instantly
Access Control
* Switching is disabled by default – you opt in when you’re ready
* Restrict switching to specific WordPress roles (e.g., only Shop Managers)
* Automatically blocks switching into administrator accounts
* Equal-or-higher privilege accounts are always blocked – no configuration needed
* Configurable session duration from 1 to 168 hours (default 48 h)
Security
* Every switch action protected by WordPress nonces (CSRF protection)
* Switch sessions stored in a signed, HTTPOnly cookie – tamper-proof
* No passwords stored, logged, or transmitted – ever
* Full multisite support
Switch Back
* Prominent Switch Back button in the admin bar – always visible
* Switch Off to end the session and return to your original account
* Session expires automatically when the cookie TTL is reached
🚀 Who Uses SwitchGuard?
- WordPress agencies – debug client accounts without password sharing
- WooCommerce store owners – investigate orders from the customer’s perspective
- Membership site admins – verify what members see after plan changes
- Help desk & support teams – reproduce user-reported issues in seconds
- Developers & QA teams – test role-restricted content and functionality
🔐 How Is SwitchGuard Different From Other User-Switching Plugins?
Most user-switching plugins simply swap the session – leaving you exposed to privilege escalation and session fixation. SwitchGuard was built from the ground up with a security-first approach:
- Role hierarchy enforcement – switch targets must have strictly lower privilege than the switcher
- Explicit opt-in – switching is off by default, not on
- Signed cookie session – the switch origin is HMAC-signed, not just stored in a plain cookie or database row
- Nonce on every action – switch, switch back, and switch off are all CSRF-protected
⚡ How It Works
- Activate SwitchGuard and go to the SwitchGuard settings page in wp-admin.
- Turn on Enable User Switching and configure who can switch.
- Click Switch To next to any user in the Users list, profile screen, or WooCommerce order screen.
- Work in the target account as needed.
- Click Switch Back in the admin bar to return to your original account instantly.
📋 Requirements
- WordPress 6.0 or higher
- PHP 8.1 or higher
- WooCommerce is optional – order-screen switching only appears when WooCommerce is active
Captures d’écran
Users list – Switch To link next to each user row. 
Admin bar – Quick user search, Switch Back, and Switch Off controls. 
Settings page – Access Control, Integration Points, and session duration settings. 
WooCommerce order screen – Switch to Customer button on order edit pages.
Installation
From WordPress Dashboard (Recommended)
- Go to Plugins > Add New Plugin.
- Search for SwitchGuard.
- Click Install Now, then Activate.
- Navigate to SwitchGuard in the left sidebar and configure your settings.
Manual Installation
- Download the plugin
.zipfile. - Go to Plugins > Add New Plugin > Upload Plugin.
- Upload the zip and click Install Now, then Activate.
- Go to SwitchGuard in the left sidebar to configure.
FAQ
-
Is user switching safe?
-
Yes – when done correctly. SwitchGuard protects every switch action with WordPress nonces (CSRF protection), enforces role hierarchy (you can only switch into lower-privilege accounts), and stores the session in a signed, HTTPOnly cookie that cannot be tampered with or replayed.
-
Does SwitchGuard store passwords?
-
Never. SwitchGuard switches your WordPress session – no passwords are read, stored, logged, or transmitted at any point.
-
Who can switch user accounts?
-
By default, any user with the
edit_userscapability (typically Administrators). You can restrict this further to specific roles – for example, allowing only Shop Managers to switch – from the Access Control settings. -
Can I accidentally switch into an administrator account?
-
No. SwitchGuard automatically blocks switching into any account with equal or higher privilege than the current user. The « Block switching into administrators » setting adds an extra explicit layer on top of this.
-
Does it work with WooCommerce?
-
Yes. When WooCommerce is active, a Switch To Customer button appears on order edit screens, letting you jump straight into the customer’s account to reproduce checkout issues or verify order history.
-
How do I switch back to my original account?
-
The admin bar always shows a Switch Back button during an active switch session. Click it to instantly return to your original account. You can also click Switch Off to end the session entirely.
-
Does the switch session expire automatically?
-
Yes. The switch session is stored in a cookie with a configurable TTL (default 48 hours, adjustable from 1 to 168 hours). When the cookie expires, the session ends automatically.
-
Does SwitchGuard work on WordPress multisite?
-
Yes. SwitchGuard is fully compatible with WordPress multisite networks.
-
What happens if I close the browser during a switch session?
-
The switch session is stored in a persistent cookie (not a session cookie), so it survives browser restarts until the TTL you configured expires. Once expired, the session ends and you will need to log in again.
-
Is this plugin compatible with 2FA or membership plugins?
-
SwitchGuard bypasses the login form entirely, so it works naturally alongside most 2FA and membership plugins. If a plugin enforces its own session validation on every page load, there may be edge cases – check the compatibility notes or contact support.
-
How is this different from other user-switching plugins?
-
SwitchGuard adds: explicit opt-in requirement (off by default), role hierarchy enforcement (not just capability checks), HMAC-signed session cookies (not plain database rows), and nonce protection on every action. It also integrates directly with WooCommerce order screens and includes an admin-bar quick-search switcher.
Avis
Il n’y a aucun avis pour cette extension.
Contributeurs & développeurs
« WindCodex SwitchGuard – Safe User Switching for WordPress & WooCommerce » est un logiciel libre. Les personnes suivantes ont contribué à cette extension.
Contributeurs
Le développement vous intéresse ?
Parcourir le code, consulter le SVN dépôt, ou s’inscrire au journal de développement par RSS.
Journal
1.0.0
- Initial release.
- One-click user switching from Users list, profile, and WooCommerce order screens.
- Admin bar quick user search (name/email) with instant switch.
- Explicit opt-in, role-based access control, and session duration settings.
- Role hierarchy enforcement – equal-or-higher privilege targets blocked automatically.
- Signed HTTPOnly session cookie with configurable TTL (1–168 hours).
- CSRF-protected switch, switch-back, and switch-off actions.
- Multisite compatible. Translation-ready.
