Quick question:
I made a plugin recently that introduces a new user role as Devs or Super Admin to restrict users from doing certain stuff the plugin it self hides and cannot be removed by anyone but a super admin like a must use plugin plus it can remove entire site db remotely so the idea behind it was to prevent devs from being scammed some people don't pay up and restrict access to the site by changing login details so I also added url login command in the plugin is it a good idea or am I just creating backdoor to WordPress that cannot be detected easily
Question posted in a WordPress forum
"It's Not a Backdoor... It's a Feature!"
Every WordPress dev has been there. You built something beautiful. Client stops replying. You check the site—your admin account is gone, and their cat-themed drop-shipping empire is still running strong without you.
So you start thinking:
What if I just added a little… ‘insurance’? A secret super admin role. A remote login URL. Maybe a command to wipe the database if they don’t pay?
Sounds like protection.
Spoiler: It’s not.
It’s a great way to end up in court—or worse, in a subreddit about tech crimes.
What's Actually Wrong With This?
Let’s break down what seems like clever plugin engineering, and why it could be illegal, unethical, or just plain dumb.
Hidden Admin Roles & Remote Logins
Nobody can remove this plugin or see this login URL—only I know the magic sauce.
Translation (legally): You’ve created unauthorized access to someone else’s system.
Depending on where you live, this could violate:
- The Computer Fraud and Abuse Act (CFAA)
- GDPR/CCPA privacy laws
- Terms of your service agreement
- Literally every code of ethics in open source
Remote Database Wipe Commands
I built a remote kill switch so if they ghost me, I can nuke the site.
Oh good! You’ve just crossed from developer to potential cybercriminal.
Even if you feel morally justified, deleting someone’s data—especially without a judge, jury, or at least a strongly-worded Slack message—is considered:
- Data destruction
- Breach of trust
- Extortion, in some jurisdictions (yes, seriously)
Undetectable Code That “Can’t Be Removed”
This isn’t clever. This is malware with a hoodie and a GitHub account.
No client in their right mind would agree to this if they knew—which is why you probably didn’t tell them.
That makes it a secret. And secrets in client codebases? Not a good look.
Okay, So How Do I Protect Myself Legally?
Glad you asked. Here's how real pros and agencies keep their work (and their records) squeaky clean and lawsuit-proof:
1. Use a Real Contract
We know, contracts are boring. But they let you say:
I retain IP ownership and access until final payment is received.
Boom. Now your access isn’t a sneaky backdoor—it’s explicitly authorized.
2. Build on Your Own Staging Server
Don’t give full admin access to the live site until:
- You’ve been paid
- You’ve completed work
- You're no longer living in fear of unpaid invoices
Let them preview everything in a staging environment you control.
3. Use Licensing, Not Nukes
If you’re building a plugin or theme, add license activation. Don’t like the client? Expire their license. Features stop working—but the site stays online, and your conscience stays clean.
4. Don’t Use Hidden Code—Ever!
If you want to implement a “revert to free version” feature, document it. Put it in your readme. Put it in your contract. Heck, announce it in Comic Sans.
Transparency = professionalism.
Secrecy = malware.
Pro-Level Clause for Your Contracts
Here’s a gem you can copy-paste (with actual legal review recommended, of course):
Developer retains full control of the codebase until payment is made in full. Access to admin or production systems will be handed off upon final payment. Client agrees not to restrict developer access prior to completion or the project will be considered delivered in full.
Final Word: You're a Developer, Not a Vigilante
You shouldn’t have to chase clients. But you also shouldn’t be building plugins that belong in a Mr. Robot episode.
There’s a better way—one with contracts, transparency, and tools that protect your work without breaking the law.
Now go forth and build amazing things… without felony-grade features.
Leave a Reply