Advanced Access Manager Next Generation

Note! AAM 6.x.x is the major release that may not be compatible with some of the features and access settings defined in AAM 5 or earlier versions. For more information, please check “Breaking Changes” section.

Advanced Access Manager is coming a long way. Since the beginning of 2011, it has been going through a lot of transformations. Like any other software start-ups, that do not actually know how to build the product, we’ve made a decent amount of mistakes through this journey. To be honest, we did not even think about AAM as a business or start-up. It was a side gig until in the middle of 2018 when we realized that this plugin has great potential, and at least, it should be taken seriously considering the number of sites that actively use it.

This is where we’ve committed to bring affordable, enterprise-level access, compliance, and security controls to the hands of WordPress users. It took us over 8 months to completely rethink and rewrite the entire AAM core functionality and premium add-ons, and finally, the stable AAM version 6.0.0 is here. You can download it from the official WordPress repository by following this link.

Remaining part of this article is going to cover our main motivation for this major release, non-negotiable aspects of the new AAM functionality, what is new and what was removed.

Motivation

This is one of the most common trends that we observe among software start-ups – they keep adding and adding new features to the point when it becomes really hard to give a one-sentence definition for a product. This happened to AAM. For years we’ve added several hundred different features. Some were documented others – not so much. So the time came to determine one thing – “What is AAM?”.

Finally, we’ve defined AAM as: “Enterprise-level WordPress solution for the authentication, authorization and monitoring purposes.” Other words, AAM is the suite of tools for a user/application login (authentication), access management (authorization) and user activity tracking (monitoring). This brings the complete suite of features that any website master needs to enhance security and data integrity.

AAM Becomes The Enterprise-Level Solution

It is easy to claim in a marketing pitches that some product is an enterprise-level solution. However, it is extremely difficult to actually build such. A lot of times it is not about a fancy user interface or great marketing copy, but rather well defined SDLC (software development life-cycle), backward compatibility, test automation, and solid documentation.

Starting with the AAM 6.0.0, you should expect the following changes to the AAM operational flow:

  • Detailed Changelog. All the changes, even minor, will be well documented with the reasons for changes;
  • Unit Test Automation. This improves the plugin stability and significantly reduces the number of bugs;
  • Security Scans Automation. AAM 6.0.0 already uses SonarQube and CodeRisk for code quality and security scans. We are evaluating few more security partners to improve AAM security pasture;
  • Office Hours. Periodically, possibly once or twice a week, scheduled online meet-up to answer questions;
  • Documentation as “First-Class Citizen”. AAM already has closer to 400 individual articles and they’ll be up-to-date and accurate;
  • Automated Migration. If there are any settings that are not compatible, they will be converted or deprecated automatically with migration scripts;

Non-negotiable

Because there are so many websites that already put a lot of trust in AAM, security and transparency become two main core aspects of the AAM functionality. This comes with few non-negotiable boundaries that we are committed to obeying in the base AAM plugin (some may not apply to add-ons or third-party plugins that enhance AAM functionality).

  • AAM does not create new or alter existing website database tables;
  • AAM does not read any files outside of the AAM plugin’s folder;
  • AAM does not create new, write or delete any existing files or folders on a server;
  • AAM does not capture or send externally any information about how it is used;
  • AAM does not capture or send externally any information about a website server. The only exception is a website domain that is assigned to a premium license during activation;
  • AAM does not integrate with any other plugins directly;
  • AAM does not impersonate or swap user login sessions. All the authentication is handled by WordPress core where AAM may provide only verified and trusted information as means of authentication;
  • AAM does not include advertisement of any kind (no banners, cross-sales pitches or affiliate links);

What’s new about 6.0.0?

The biggest change to the AAM comes with splitting the big, monolithic AAM version 5 into smaller and independent modular services that are well-documented, well-tested (with test automation), providing fine-tuned control, flexibility, and confidence to website masters.

AAM Services List

This way, a website master, has the ability to enable only features that are essential for the website and disable others. This most definitely helps to keep a website leaner, and in some cases faster.

Another major change has been made to the way AAM propagates access settings down the hierarchical chain (e.g. from role to a user), and to avoid overwhelming this article with technical details, AAM now has much more flexible and scalable way to define access settings to any WordPress resource. To learn more about access settings inheritance, please refer to the AAM Access Settings Inheritance Mechanism.

The substantial improvements were done to the Posts & Terms service where we’ve completely refactored it to match 100% how WordPress core manages relationships between posts, terms, and taxonomies. There is no longer separation between Backend, Frontend & API levels due to the fact that everything is moving toward one cohesive RESTful API.

Posts & Terms Access Control

Last but not least, all the AAM related access settings have been consolidated in one database record. Prior, access settings were stored in wp_options, wp_usermeta, wp_postmeta tables and fetched on-demand. With the new approach, AAM requires, on average, 2 database queries per request.

What has been removed?

We’ve been taking very seriously the plugin’s security and non-negotiable items that are mentioned above. That was the main driving factor to say bye-bye to some of the long-lasting features.

AAM is no longer allowed to change the filesystem on the server, which means that all AAM extensions have been converted to be regular WordPress plugins. We’ve already started the migration process over eight months ago and more details can be found in the “AAM Extensions Become Plugins” article.

AAM is no longer allowed to read any physical files outside of the AAM plugin’s directory, which means that media access control feature has been revoked from the AAM core. We released the free add-on that extends AAM with a more secure way to manage physical access to files.

AAM is no longer allowed to impersonate or swap user login sessions, which means the nice “Switch To User” action is no longer available on the “Users/Roles Manager” panel. This feature has been removed in favor of the free User Switching plugin written by John Blackbourn & Contributors.

Due to really old and appeared to be no longer maintained WordPress core XML-RPC functionality, AAM no longer has the ability to manage access to individual XML-RPC procedures. However, there is still the ability to completely disable this WordPress core feature on the Settings Area.

Because AAM is no longer allowed to add any physical files to a server, the Import/Export feature has been removed in favor of Access Policy. Under the hood, WordPress core actual creates a physical file that persists imported settings.

Breaking Changes

Like any other major software release, AAM is not an exception. There are several features that are not working the same way as in older AAM versions. Most of them are listed below. We did our best to keep AAM migration as smooth as possible, however, it is near to impossible to do that 100% safe way, so please do validation on your end and keep us posted in anything.

  • Media Library Access. This feature was removed from the core AAM plugin and introduced as separate stand-alone free WordPress plugin. For more information, please check How to manage access to WordPress media library article.
  • JWT Feature. Several breaking changes has been introduced to the API endpoints. For more information, check Utlimate guide to WordPress JWT authentication article.
  • Posts & Terms Options. We completely rewrote this feature to be 100% compatible with WordPress core. Some of the access options have been renamed and consolidated. Thre is no longer separation between Backend, Frontend and API levels due to rapid migration of WP core to RESTful API.
  • AAM Capabilities. All the custom capabilities that AAM supports, have been renamed and prefixed with aam_. Double-check all available AAM capabilities on the Plugin Reference page.
  • Secure Login Shortcode. Secure login shortcode, that renders login form, has been removed. We kept only Secure Login widget.
  • ConfigPress Options. Majority of the ConfigPress options have been renamed or removed. Please double check your setup and contact us for assistance if needed. To get the list of all documented options, please check our Plugin Reference page.
  • Access Policy Refactoring. Some of the access policies may not work as expected due to the fact that we completely rewrote the entire plugin. Refer to the Access Policy Reference Page to verify that your resources and actions are defined properly. Contact us, if assistance is needed.
  • Import/Export Feature is Removed. Due to non-negotiable rules, this feature has been removed. We encourage you to build a colletion of access policies that enhance your website security and complience.

Things that are still under development

For the next few months, we are going to work on the following items as part of our commitment:

  • E-Commerce Add-On. AAM 6.0.0 completely changes the way it works with all existing extensions and premium add-ons. E-Commerce currently is compatible only with AAM version 5 and we are rewriting it to be enhanced with more features. Currently estimated to be delivered by the mid of December;
  • User Activity Monitoring. This is one of our biggest targets for the next 2-3 months. This is going to be available as a free WordPress plugin with an opt-in option for our SaaS solution. More details are coming later;

Conclusion

AAM today is already a well-recognized solution for the WordPress CMS. It is actively used by a very large number of websites, including really big international corporations, governments around the world and highly regulated industries. That alone speaks about the great value proposition that AAM provides.

This factor was the main reason, we’ve completely revised the entire plugin’s implementation (over 200 files and more than 1.5 million characters of code) to meet high quality and security standards.

AAM 6.0.0 is just the beginning for the new generation of access, security and compliance suite of tools that will change the way people manage WordPress websites. We strongly believe in our vision and we take one day-at-a-time to deliver our commitments.

Get notified about important updates and new features (no more than one email per month).