#204 – Russell Aaron on the Hidden Settings Page You Never Knew Existed options.php

[00:00:19] Nathan Wrigley: Welcome to the Jukebox Podcast from WP Tavern. My name is Nathan Wrigley.

Jukebox is a podcast which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case, the hidden settings page you never knew existed, options.php.

If you’d like to subscribe to the podcast, you can do that by searching for WP Tavern in your podcast, player of choice, or by going to wptavern.com/feed/podcast, and you can copy that URL into most podcast players.

If you have a topic that you’d like us to feature on the podcast, I’m keen to hear from you and hopefully get you, or your idea, featured on the show. Head to wptavern.com/contact/jukebox and use the form there.

So on the podcast today we have Russell Aaron. Russell is a longtime WordPress enthusiast, power user since 2004, and developer since 2011. He’s organized WordCamp Las Vegas, played a key role in the Las Vegas WordPress meetup group for years, and is dedicated to helping beginners find their feet in the WordPress world. Support has been his main focus throughout his career, always keeping the needs of newcomers in mind.

If you’ve ever wondered about the lesser known corners of the WordPress admin, today’s episode will be right up your street. Russell introduces a hidden feature, the little explored options which is accessible from your site’s WP admin area. Many seasoned users, including myself, have never heard of it, but this page exposes the entirety of your WordPress options table in an editable format. We talk about what this page does, why it exists, and the ways it can be both helpful and hazardous.

Russell shares his own use cases, how it can be useful for plugin development and database management, but we also discuss concerns around its discoverability, and the risks of making changes without understanding the consequences.

It’s a short episode, but there’s a lot in here for anyone curious about WordPress’ inner workings, or eager to learn about hidden tools that most people don’t stumble upon. So if you fancy poking around behind the scenes, or have ever wondered what might be right under your nose in WordPress, this episode is for you.

If you’re interested in finding out more, you can find all of the links in the show notes by heading to wptavern.com/podcast, where you can find all the other episodes as well.

And so without further delay, I bring you. Russell Aaron.

I am joined on the podcast by Russell Aaron. Hello Russell.

[00:03:02] Russell Aaron: Hello. Thank you.

[00:03:03] Nathan Wrigley: You are very welcome. I didn’t know Russell until just a few minutes ago, but we’ve probably spent, I don’t know, 20 minutes or so already, just shooting the breeze. And I’m getting to know you a little bit. But it’s an absolute pleasure to have you on the podcast today.

I put a tweet out, or whatever you call it on X these days, a couple of days ago, asking if anybody had an interesting topic. And what you are going to hear about today is what Russell came back with, and I had no idea this thing existed. So let’s get into that in a minute, but it’s very curious. Stay tuned.

But Russell, would you mind just telling us a little bit about your, what I now know is a long and storied history with WordPress. Just tell us all about yourself.

[00:03:40] Russell Aaron: Sure. My name is Russell Aaron. Nice to meet everyone. I’m a WordPress enthusiast and a fan, first and foremost. That is what keeps me coming back to WordPress every day. I’ve been a power user since 2004. I’ve been a developer since 2011. I organised WordCamp Las Vegas 2015 and then our meetup, I was a co-organiser from 2011 all the way up to 2018 or so. So I’ve been around, I’ve spoken at many WordCamps and stuff like that.

I’ve worked at all the places, all the things. I mean, you know, yet another WordPress developer shop is just like the plugins, yet another, whatever. But I’ve mostly been doing support for my entire WordPress career. And I always like to take things back, even though I’ve been using it for X amount of years, I still like to learn what it’s like to be a beginner walking into WordPress. Because no matter what, we always have beginners coming in and they need help. They need to be pointed, where to go, who to see. And I kind of own that side of the world when it comes to like what I do. I’m very beginner friendly.

[00:04:52] Nathan Wrigley: Do you still get the same excitement? I remember the first time I ever opened up WordPress, which was probably something like 2014, something like that. So I was definitely not right at the beginning. I was much later to the party than a lot of people. But I’d been using Drupal and Magento and things like that.

I remember getting really excited, like genuinely looking around thinking, oh, and it can do this. And then, you know, a week later, oh, and it can do this. And on and on that went. At some point, that level of curiosity, it never really left me, but I kind of managed to learn the things I needed to learn. But then that was just because I was doing stuff that I needed to do.

But if you’re in a role where you communicate with customers, presumably that’s a never ending conveyor belt of new things that you’re constantly having to learn, because some curious person comes up and says, I’ve broken it in this way, and you’ve got to figure all that out. So long question, but are you still excited about it?

[00:05:42] Russell Aaron: I’ve had this saying, and I say it every day when I sit down is, the hardest thing I have to do is log into WP admin. From there, I’ll figure everything else out. Make a backup is number one. Second thing is, the hardest thing I have to do is log into WP Admin. And you know what really gets me excited is, you know, you have a blog, I have a blog, and essentially we do the same thing, but underneath the hood, how we got to the same point, those are different paths. You use this caching plugin, I use this caching plugin. You use Yoast, I use Rank Math. So the different configurations and stuff like that, that’s what keeps me coming back. And that’s why I’m in support.

[00:06:22] Nathan Wrigley: Yeah, this almost kind of infinite permutations of ways that you can do WordPress. And I guess if you’re like me and you’re just using it on a few sites, that’s fairly trivial. But if you, like you, you’re having to support every possible permutation, oh.

Okay, so as I said, I went out on X and I suggested that if anybody would like to get in touch and put themselves on the WP Tavern Jukebox Podcast, fire me a message back. And very quickly Russell came to me with this. And I have no idea, I had no idea that this was even a thing.

Like I said, I’ve been using WordPress for over a decade. I didn’t know there was a page that you can navigate to, once you are logged into the WP Admin. So, okay, we’ve logged in, and then if you append options.php to the end of your WP admin URL, so example.com/wp-admin/options.php. Maybe pause the podcast. If you’re logged in, go there, click return, then move away from the keyboard.

[00:07:24] Russell Aaron: Yeah, don’t touch it.

[00:07:25] Nathan Wrigley: Don’t touch the keyboard. I didn’t know this existed. Tell us, what the heck is this?

[00:07:31] Russell Aaron: I mean, just like you, you know, I’ve been knee deep in WordPress and installing it when it was the famous five minute install, you know, and Custom Post Types before they were cool. And still, same thing is, it was something that was shown to me a very, very long time ago. But what I like to imagine is that WordPress, when it first got started, it was always user forward, so they wanted to show you either what was on the page or what was in the Post. And so options PHP, or wp-admin/options with an s, you have to add the s, but .php, it basically spits out your entire options table.

So from your database, it spits out your entire options table onto one page. And I mean, depending on how big your options table is, you can have a very small page or, you know, I’m still scrolling. I can doom scroll on my options page and just keep going. But it’s one of those things that I believe was there from the beginning to help you see maybe some information that’s in your database and then, you know, like you could tweak things. And then a database admin, or whatever tools you have on your host to see your database, you know, stuff like that came out. And I think it’s one of those legacy features that’s just always been there, but it gets ignored all the time.

[00:08:58] Nathan Wrigley: No kidding. I mean, basically I’m looking at, not a vanilla WordPress website, but I’m looking at a WordPress website with a third party block-based theme, and maybe four plugins. And the four plugins are not that heavy, as far as I’m concerned. But it says, so I navigated to that in that website. And the page is just entitled, all settings. And then underneath that is the warning. So I shall read that out because this is important.

[00:09:21] Russell Aaron: That should be giant H1. Like, I don’t know what a 235 pixel font looks like, it should be that.

[00:09:28] Nathan Wrigley: Blinking as well. It says, this page allows direct access to your site settings, you can break things here. Please be cautious. And then it’s just two columns. On the left it’s just the name of the key. And then on the other side, the value. And so it’s just a list of things on one side, a list of things on the other. Now obviously the key is uneditable. It just shows it to you. But more or less, now that’s not entirely the case, but more or less every value is editable, meaning that, I don’t know, if some of this was particularly important. Let’s start at the top. I’ve got the admin email. You know, if I change that I’m going to lock myself out if I don’t remember what I’m doing.

[00:10:07] Russell Aaron: Or emails are going to go to the wrong place.

[00:10:08] Nathan Wrigley: Emails are going to go to the wrong place. And then it goes down, and you’ve basically dumped yourself in the options table. So it’s like you’re in, I don’t know, some sort of database manager, phpMyAdmin or something like that. But there it is inside of WordPress.

Now you mentioned it’s probably a legacy. Do you think it should be here anymore? Because so much of this is exposed in such an easy to fiddle way, that it strikes me that somebody could easily go in here, not really know what they’re doing, amend something, delete something, click return, and bork the website entirely.

[00:10:43] Russell Aaron: I mean, it’s not a bad idea. If you have a database plugin and it’s active, and for whatever reason that lets some kind of intrusion in, yeah, somebody could get into that information and start wreaking some havoc. And so it would be one of those things where, maybe it should be optionable or maybe it should be stepped into a plugin itself.

But I mean, I’m also not against it either. For what it’s done, I’ve never really heard of this page being the cause for whatever malware or whatever Core file is being overwritten. Like it’s usually, knock on wood, it’s usually a plugin that allowed some kind of intrusion or just a bad code that allowed something, and it’s never really been like, well, this site was hacked and it went to this file.

So it seems to be okay. But it’s probably, what I would say is it’s the biggest difference. Because like when you write a plugin and you submit it to wordpress.org, they’re going to go through it with a fine tooth comb and they’re just going to make sure that things are working. They want a tool tip or they want some kind of explanation of like, what this field does. But you go here to this page and it’s just kind of key, pair, and it doesn’t say like, well, this value comes from here, or changing this. Like, there’s no information on it whatsoever, you know? It’s one of those things where like, I see WordPress has a default standardisation of how they want things done, but then you come to this page and none of it’s there.

[00:12:14] Nathan Wrigley: Yeah, so as an example, so if you scroll down, I’ve just literally scrolled down and there’s hundreds and hundreds of entries. And I’ve ended up at fresh_site. Now that has zero, a value of zero. I have no idea what that does. I don’t know what would happen if I turned the zero into a one, but there it is. Right above it is finished updating comment type. That’s got a one. And you are right, there’s absolutely no text in any of the fields to give you any indication.

[00:12:43] Russell Aaron: Other than like site URL like, you know, you kind of know what that is. But everything else, yeah. Unless you kind of know what that key, or what that pair is supposed to be, yeah, you really have no idea.

[00:12:53] Nathan Wrigley: And there’s no way of knowing that other than presumably going out and finding it. And so that in itself is quite curious. Just the idea that this entire list of things doesn’t give you some sort of helping hand to kind of say, okay, this one in particular, be mindful of this one. This one’s very important, or at least, here’s what it does. There’s none of that. So it’s just curious.

[00:13:13] Russell Aaron: Well, I mean even with the Core post types that come with the Core install, they have that documented. I think there’s seven now, Core post types. And out of seven of those, three are hidden, you know? You have the menu stuff. And even that, I wouldn’t expect it, but I would say that when you install just a very basic install WordPress, you set it up for the first time, no themes, no plugin, you just spun it up.

At least that page should say all the default stuff that’s there. When the database gets created, wp-options table is created, these values go in. I would maybe hope that a default thing of just says like, this is a default field, or this is a default option that gets installed and here’s what it does. But again, there’s just none of that.

[00:13:59] Nathan Wrigley: No, no. So again, caveat emptor. Right at the top, obey the warning. Don’t modify anything in here.

[00:14:04] Russell Aaron: Right. Mind the gap, that’s for sure.

[00:14:06] Nathan Wrigley: Well, I say don’t modify anything. Presumably it’s there so that things can be modified. And so I guess my question to you is, you’ve brought this to my attention, have you found a use for this? Have you ever been in there and, is it like a daily thing that you are fiddling with? What’s the purpose?

[00:14:22] Russell Aaron: I can tell you my use case. And I think for me, it’s not being lazy, but I don’t want to have a SQL program running on my computer, or I don’t want to have phpMyAdmin up, and I have to refresh and go to page two to find my option or whatever. What I like is that I have been rebuilding some of my plugins. And some of my plugins set options. And so when you deactivate my plugin, I have a uninstall.php file that should remove information from the database, right?

So that’s where I go to check, is my plugin doing its job? Well, let’s go look for this option name. And if I uninstalled and deactivated my plugin and it’s fully gone, but I still see whatever option name, I know my uninstall PHP file didn’t do its job. That’s the biggest use case I have.

I have a local site for everything that I develop, like my personal website, I have a local site. All my .org plugins, I have a local site for that where I do development. And that’s the same thing is, I use that option thing and okay, did I set my option? Do I see it? Okay, there it is. Here’s what I see it in the database. Here’s what I can query against. Like, it gives you all that information. All you have to do is one refresh. You don’t have to rebuild your database or go searching through it in like a MySQL kind of program. It’s all just spit out there and you really just, you know, find search and stuff like that. That’s my use case for it.

[00:15:58] Nathan Wrigley: Yeah, there’s no search or filter anything in there. You would have to use the browser search to find the thing that you need. But that’s a really interesting use case of it. And also, thank you for having that feature in your plugins whereby you actually remove the data in the database that, obviously, at the point of uninstall is no longer required. I know why people leave that stuff there, but also it’s quite nice that you make it so that it doesn’t remain.

[00:16:21] Russell Aaron: That’s one of those interesting arguments. If I accidentally deactivate WooCommerce, I don’t want my stuff gone. So that shouldn’t have it, but my tiny little plugin that I built for a contest 10 years ago, it should probably remove it’s stuff.

[00:16:34] Nathan Wrigley: So obviously you can see that, but again, there’s no way of searching for things. You’d have to manually search through the browser and what have you. Now, the curious thing is, I’ve never stumbled across this, and I’ve clicked every single link in a WordPress install. There’s no doubt I’ve clicked every link multiple times over and over again. Presumably this is not linked from anywhere within the WP Admin at all. And yet when you land on it, the sidebar, the WP admin sidebar ends up at settings, so the settings is highlighted.

[00:17:05] Russell Aaron: And settings is expanded.

[00:17:08] Nathan Wrigley: Settings is expanded, but it’s not, you know, it’s not a child item which suddenly appears. It’s just settings. So is that true? It’s not linked anywhere.

[00:17:15] Russell Aaron: Not that I have found anywhere. Other than people like you and me talking about this, it’s not very spoken about. It’s kind of one of those things where if you know then you know, or if somebody like myself is a developer, they can say, oh yeah, hey, there’s this other thing. But other than that, I mean, it tends to be skipped over from a beginner perspective.

Like you said, you’ve been using WordPress for 10 plus years at least. Never been there before. Didn’t even know this thing existed. Now you’re kind of like, what else is there that I don’t know.

[00:17:48] Nathan Wrigley: That is exactly where my head has gone, is what else is there that I don’t know about? You know, other curious things that are there.

[00:17:53] Russell Aaron: Is there a gold pot at the end of the rainbow? We don’t know.

[00:17:57] Nathan Wrigley: Yeah, some little Easter egg that I never spotted that’s somewhere buried in a menu. Yeah, that would be kind of cool.

[00:18:01] Russell Aaron: What if you go to that page and there’s a coupon code for Gravity Forms and it says like, free updates for life because you visited here.

[00:18:09] Nathan Wrigley: Yeah, that’s a great idea. Yeah, okay, so developers hijack this page and add those. No, don’t. Don’t do that. But you were saying earlier that the fact that nobody is really talking about it, I suppose that leads us into the idea that, it’s not really a problem. If this was exposing problems that, let’s say for example, I don’t know, hackers were leveraging, I don’t know quite how they would do that, but you know what I mean. Then presumably this would’ve been pulled out years and years ago because it would be easy to remove this. But presumably it doesn’t have a great attack surface. It’s not widely known about. This is the first time I’ve heard about it, so there it is. It’s going to stay, I presume.

[00:18:47] Russell Aaron: I always make the joke that it’s the largest form in WordPress.

[00:18:51] Nathan Wrigley: Yeah, it really is.

[00:18:53] Russell Aaron: I mean, that’s all it is. It’s a giant form that pulls data. And, you know, you can hit save at the bottom. So it’s the biggest non Gravity Form that you can have in WordPress.

[00:19:03] Nathan Wrigley: Do you know if it’s possible for, so for example, the site that I’m logged into, I am an administrator. That’s the account that I’ve got. So the level of permissions is equal to administrator. I’m wondering how far this goes down. So, for example, I don’t know, if I’m a contributor or a subscriber or an editor, I’m guessing that this wouldn’t be available, but I don’t know if you know the answer to that.

[00:19:24] Russell Aaron: It’s only, you have to have the manage options permission, which I think is tied to administrator, and I think that’s about it.

[00:19:32] Nathan Wrigley: So in that sense it is also, I suppose, fairly secure because it’s hidden behind an administrator account. And by the time an administrator account.

[00:19:41] Russell Aaron: If logged in and administrator is true, yeah.

[00:19:43] Nathan Wrigley: Right. So you can more or less kill the site if you wish to, of your own volition by going to the, and I’m doing air quotes, the normal settings anyway.

[00:19:51] Russell Aaron: At that point, you can’t complain. You’re an admin. You did it yourself, you know.

[00:19:54] Nathan Wrigley: Do you know if, this isn’t something curious that sort of hopped in like the last five years, six years, something like that? Do you know if this has a history which goes back right to the beginning of WordPress?

[00:20:06] Russell Aaron: I would be curious to go figure out when this file was introduced. I want to say, like, if I had to guess, I think it’s at least in 2.0. It might go further back. 2.3 is when I started using WordPress. So I mean, as far as I know, I think it’s that far, but I haven’t actually dove back to see like, when it was introduced.

[00:20:28] Nathan Wrigley: Have you ever used it and killed a site accidentally?

[00:20:33] Russell Aaron: Yes.

[00:20:33] Nathan Wrigley: Oh, you have. Oh, go on, tell us. What did you do?

[00:20:35] Russell Aaron: So, I see this argument all the time where it is, you know, too many plugins, slow your site down or whatever. There’s actually an option in your database and it, you know, when you activate a plugin, there’s this wide array, it says akismet-1, so it’s active. And then it says jetpack-0, so it’s not active.

And so it tells you what’s an active plugin and what’s not. And I’ve gone in there and I’ve thought, oh, I’ll just change this value or, can I activate a plugin just by changing this value? And it’s one of those things where, whoops, probably forgot a comma or forgot a period somewhere. I mean, it’s very finicky. I mean, it’s the same thing as editing your database. If you go in there and you make a mistake in your database, it’s going to blow up the site. Same thing with this.

[00:21:30] Nathan Wrigley: Yeah, the curious thing about the database, I suppose though, is that obviously not many inexperienced people presumably would be given an administrator account. So there’s that.

[00:21:38] Russell Aaron: Hopefully.

[00:21:38] Nathan Wrigley: But also they’re never, well, okay, alright. Yeah, I’ll take that back immediately. Well, okay, in an ideal world, an administrator account would not be given to somebody inexperienced. Plus the fact that almost nobody, until now, knew that this whole thing existed. And I bet I get loads of emails saying, we’ve known about this, Nathan, forever. It’s just you that didn’t know about it.

[00:21:59] Russell Aaron: No, this is one of those things where like, you show up to WordCamp US and it’s like, what do you know that I don’t know? And you go, have you ever been to options.php? And then people are like, wait, what? It’s one of those things where like, look at the big brain on Russ, it’s one of those kind of things.

[00:22:16] Nathan Wrigley: There’s a cabal of just me and you now, and then anybody who’s listened to this podcast. But also, the inexperienced user, presumably wouldn’t have the access to the tooling to use a database tool. So that’s why I find this so amazingly curious, that essentially you’ve just completely listed out everything in an editor. I mean, I could understand it if it just showed what the content of that.

[00:22:37] Russell Aaron: Just read only?

[00:22:37] Nathan Wrigley: Right, just show what it is and then you could go into a database tool and amend it if you needed to. But the fact that almost everything is editable and saveable, that is the bit that I find so curious.

Do you know of other things like this, or is this the only one? What I mean by that is, any curious, hidden Easter egg, strange things inside of WordPress, or is this the one and only?

[00:22:59] Russell Aaron: Sure, sure. I mean, as far as I know, I mean there’s other block visibility controls and stuff like that, that aren’t really displayed anywhere. It’s not like you can make those adjustments. But I mean, as far as I know, you know, like that’s all controlled by either the code in a plugin, or by a Core file, or it’s in the options. So I mean, you have both worlds right here. You have a Core file in WordPress showing you your database. This is kind of where it all is.

I would also say that I’ve spent many moons looking for my Gravity Forms license or, why is this not updating or whatever? And this is one of those things where, if you’re looking in a database, it’s all kind of black and white, squished, and it’s like tiny little tables that are off color. At least with this, there’s a margin, there’s some padding around things, there’s some gaps. So it’s kind of more user friendly than a database would be.

[00:24:00] Nathan Wrigley: Actually that’s a curious way of thinking about it, isn’t it? Because you’re right. If you do go into.

[00:24:05] Russell Aaron: You go into phpMyAdmin you’re kind of like.

[00:24:07] Nathan Wrigley: It’s not pretty. There are definitely some tools that you can have that make a database a pleasure to look at, but most of the ones that we’re all familiar with, that we use day in, day out, you’re right, they’re hard to use. Also, they have curious dropdowns and inadvertently, you click return on something and suddenly you’ve dropped the table entirely, and we’re in a bit of trouble. So this is at least easy to see.

I think we’ve probably used up all the oxygen in terms of this. I’m going to encourage you to go and have a poke around.

[00:24:34] Russell Aaron: It’s multi-site as well too, so if you go to a multi-site, you can’t see, like if you go into the backend, it’s per site. So it’s not every database option for the multi-site. But if you go into just the actual network site, yeah, then you could see all that there.

[00:24:50] Nathan Wrigley: So I’m going to encourage people to go and have a little poke around, but I’m also not going to encourage you, don’t fiddle with anything. Just leave every single field exactly as you saw it. It’s example.com, so your domain.com, whatever that would be /wp-admin/options, with an S so plural php.

Go and have a look, and I’d be very curious, if you’ve got anything that you think is interesting in there, or indeed you’ve also found something in the same way that Russell has which is unexpected and unknown. I’d be very curious to hear about that, and maybe we can get you on a podcast episode as well.

So, Russell, thank you so much for enlightening me. What a peculiar episode that was. I really appreciate it.

[00:25:30] Russell Aaron: I appreciate you putting it out there. Like, blow my mind, what do you have? And I’m glad that I can at least register that in some sort of of way.

[00:25:38] Nathan Wrigley: There’s always something new, and this definitely was something new. Thank you, Russell.

[00:25:41] Russell Aaron: Thank you.