Skip to main content
WP HealthKit

Capability Check

A capability check verifies that the current user has permission to perform a specific action, using WordPress's role-based access control system via current_user_can().

How it works

WordPress assigns capabilities to roles (admin, editor, author, etc.). Before performing any privileged action, your code should verify the user has the appropriate capability. Common capabilities include manage_options (admin settings), edit_posts (content editing), and manage_woocommerce (WooCommerce admin).

In WordPress

Every AJAX handler, REST endpoint, and admin page should check capabilities. Nonces prove the request is intentional; capabilities prove the user is authorized. You need both.

Code example

if (!current_user_can('manage_options')) {
    wp_die('Unauthorized');
}

WP HealthKit checks for Capability Check-related vulnerabilities automatically

Run a Free Audit
WordPress Capability Checks Explained — current_user_can() Guide | WP HealthKit