Security Model

SwitchGuard is designed so that only users with explicit edit_users capability can initiate switches. The security guarantees are:

Nonce verification - All switch actions are protected by WordPress nonces.
Capability check - edit_users is required; this is an admin-only capability by default.
Role level check - You cannot switch to a user of equal or higher role level.
HMAC-signed cookie - The origin user ID is stored in a signed cookie; it cannot be forged.
48-hour expiry - Switch sessions automatically expire after 48 hours.

⚠️

Any user with edit_users capability can switch to lower-privileged users. On multi-admin sites, all admins have this power. Use Block Admin Targets to prevent admins from switching to other admins.

Switching Back Compatibility