Capability Check
A capability check verifies that the current user has permission to perform a specific action, using WordPress's role-based access control system via current_user_can().
How it works
WordPress assigns capabilities to roles (admin, editor, author, etc.). Before performing any privileged action, your code should verify the user has the appropriate capability. Common capabilities include manage_options (admin settings), edit_posts (content editing), and manage_woocommerce (WooCommerce admin).
In WordPress
Every AJAX handler, REST endpoint, and admin page should check capabilities. Nonces prove the request is intentional; capabilities prove the user is authorized. You need both.
Code example
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
Related terms
WP HealthKit checks for Capability Check-related vulnerabilities automatically
Run a Free Audit