PHPackages                             10up/10up-experience - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. 10up/10up-experience

ActiveWordpress-plugin[Utility &amp; Helpers](/categories/utility)

10up/10up-experience
====================

The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up's best practices

1.18.0(3w ago)139507.8k↓36.9%27[25 issues](https://github.com/10up/10up-experience/issues)[5 PRs](https://github.com/10up/10up-experience/pulls)GPL-2.0-or-laterPHPCI passing

Since Aug 3Pushed 3w ago55 watchersCompare

[ Source](https://github.com/10up/10up-experience)[ Packagist](https://packagist.org/packages/10up/10up-experience)[ Docs](https://github.com/10up/10up-experience)[ RSS](/packages/10up-10up-experience/feed)WikiDiscussions develop Synced 2d ago

READMEChangelog (10)Dependencies (8)Versions (56)Used By (0)

10up Experience Plugin
======================

[](#10up-experience-plugin)

> The 10up Experience plugin configures WordPress to better protect and inform our clients, aligned to 10up’s best practices. It is not meant as a general-distribution plugin and does not have an open development process, but is available for public perusal.

[![Build Status](https://camo.githubusercontent.com/0675b2670e4a3b6c800f23098a138f2137c71f85c3c4b16389233ab1892a440f/68747470733a2f2f7472617669732d63692e6f72672f313075702f313075702d657870657269656e63652e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/10up/10up-experience) [![Support Level](https://camo.githubusercontent.com/cdb2c85978e766f367f2c6c66df441ea5f2843d2e3568d4113c2210e992d3ce2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f737570706f72742d6163746976652d677265656e2e737667)](#support-level) [![Release Version](https://camo.githubusercontent.com/891aa480ebb235727e5ec3924eed0437e053ed4b68ed58854b6e072157dd04e7/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f7461672f313075702f313075702d657870657269656e63653f6c6162656c3d72656c65617365)](https://github.com/10up/10up-experience/tags) [![WordPress tested up to version](https://camo.githubusercontent.com/28364b5fe991ad52f701a75a1ab86ae75a4085ca888fd6f0454560fd95f9da25/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d76352e392532307465737465642d737563636573732e737667)](https://camo.githubusercontent.com/28364b5fe991ad52f701a75a1ab86ae75a4085ca888fd6f0454560fd95f9da25/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d76352e392532307465737465642d737563636573732e737667) [![GPLv2 License](https://camo.githubusercontent.com/06fa9eeeb7dcf79848f4fad32f7894f6e39ee1df604d3efe091ef927ee3cfdfc/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f313075702f313075702d657870657269656e63652e737667)](https://github.com/10up/10up-experience/blob/develop/LICENSE.md)

Requirements
------------

[](#requirements)

- PHP 7.2+
- [WordPress](http://wordpress.org) 4.7+

Installation
------------

[](#installation)

### Composer

[](#composer)

The recommended way to use this plugin is with Composer.

```
composer require 10up/10up-experience

```

### Git

[](#git)

For development purposes, you can clone the plugin into `wp-content/plugins` and install the dependencies.

```
git clone git@github.com:10up/10up-experience.git && cd 10up-experience && composer install && npm install

```

### Archive

[](#archive)

If you need a built version of the plugin to install via the dashboard, [download](https://github.com/10up/10up-experience/archive/master.zip) and extract the plugin into `wp-content/plugins`. Make sure you use the `master` branch which contains the latest stable release.

Activation
----------

[](#activation)

Activate the plugin via the dashboard or WP-CLI.

```
wp plugin activate 10up-experience

```

Updates
-------

[](#updates)

Updates use the built-in WordPress update system to pull from GitHub releases.

Functionality
-------------

[](#functionality)

### REST API

[](#rest-api)

Adds an option to general settings to restrict REST API access. The options are: show REST API to everyone, only show REST API to logged in users, and show REST API to everyone except `/users` endpoint. By default, the plugin requires authentication for the `/users` endpoint.

*Configured in `Settings > Reading`.*

#### Filters

[](#filters)

- `tenup_experience_rest_api_allowlist`

Allows specific REST API routes to bypass authentication requirements. This is useful when you need certain endpoints to be publicly accessible while keeping the rest of the API restricted.

**Parameters:**

- `$allowed_routes` (array) - An array of REST API routes that should be publicly accessible. Default is an empty array.

**Example: Allow a single route**

```
add_filter( 'tenup_experience_rest_api_allowlist', function( $allowed_routes ) {
    $allowed_routes[] = '/wp/v2/posts';
    return $allowed_routes;
} );
```

**Example: Allow multiple routes**

```
add_filter( 'tenup_experience_rest_api_allowlist', function( $allowed_routes ) {
    return array_merge( $allowed_routes, [
        '/wp/v2/posts',
        '/wp/v2/pages',
        '/my-plugin/v1/public-endpoint',
    ] );
} );
```

**Note:** Routes must match exactly as they appear in the REST API. You can find the route for an endpoint by examining the `rest_route` query variable or by checking the REST API documentation.

### Authors

[](#authors)

Removes 10up user author archives so they aren't mistakenly indexed by search engines.

### Gutenberg

[](#gutenberg)

Adds an option in writing to switch back to Classic Editor.

*Configured in `Settings > Writing`.*

### Plugins

[](#plugins)

Adds a 10up Suggested Plugins section to the plugins screen. Warns users who attempt to deactivate the 10up Experience plugin. Outputs a notice on non-suggested plugins tabs warning users from installing non-approved plugins. If `DISALLOW_FILE_MODS` is on, update notices will be shown in the plugins table.

### Post Passwords

[](#post-passwords)

Password protecting post functionality is removed both in Gutenberg and the classic editor. This can be disabled in the writing section of the admin.

*Configured in `Settings > Writing`.*

### Monitor

[](#monitor)

Sends non-PII information about the website back to 10up including plugins installed, constants defined in `wp-config.php`, 10up user accounts, and more.

*Configured in `Settings > General` or `Settings > Network Settings` if network activated.*

### Authentication

[](#authentication)

By default, all users must use a medium or greater strength password. This can be turned off in general settings (or network settings if network activated). Reserved usernames such as `admin` are prevented from being used.

*Configured in `Settings > General` or `Settings > Network Settings` if network activated.*

\**Password strength functionality requires the PHP extension [mbstring](https://www.php.net/manual/en/mbstring.installation.php) to be installed on the web server. Functionality will be bypassed if extension not installed.*

Additionally, the plugin checks passwords against the [Have I Been Pwned](https://haveibeenpwned.com/) database to ensure they haven't been compromised in a data breach. This can be disabled by defining the constant `TENUP_EXPERIENCE_DISABLE_HIBP` as `true`.

#### Constants

[](#constants)

- `TENUP_EXPERIENCE_DISABLE_HIBP`

Define `TENUP_EXPERIENCE_DISABLE_HIBP` as `true` to disable Have I Been Pwned password checking.

### Headers

[](#headers)

`X-Frame-Origins` is set to `sameorigin` to prevent click jacking.

*Note:* 10up admin branding can be disabled by defining the constant `TENUP_DISABLE_BRANDING` as `true`.

There are 2 filters available here:

- `tenup_experience_x_frame_options` - (default value) `SAMEORIGIN` can be changed to `DENY`.
- `tenup_experience_disable_x_frame_options` - (default value) `FALSE` can be changed to `TRUE` - doing so will omit the header.

### SSO

[](#sso)

10up Experience includes 10up SSO functionality. This feature can be enabled or disabled in `Settings > General`. It is enabled by default. There are some useful constants related to this functionality:

- `TENUPSSO_DISABLE` - Define this as `true` to force disable SSO.
- `TENUPSSO_DISALLOW_ALL_DIRECT_LOGIN` - Define this as `true` to disable username/password log ins completely.
- `SUPPORT_MONITOR_ENABLE` - Overrides the settings to enable Support Monitor. Possible values `yes` and `no`.
- `SUPPORT_MONITOR_API_KEY` - Overrides the settings to Support Monitor API key.
- `SUPPORT_MONITOR_SERVER_URL` - Overrides the settings to Support Monitor server url.

### Activity Log

[](#activity-log)

The Activity Log tracks key actions taken by logged in users and stores them in Monitor. Note that no PII is stored. This feature can be disabled by defining `TENUP_DISABLE_ACTIVITYLOG` as `true`.

#### Logged Actions

[](#logged-actions)

- `profile_update` Runs when a user profile is updated. Example log message: "User 1 profile updated."
- `set_user_role` Runs when a user's role has changed. Example log message: "User 1 role changed from editor to administrator."
- `updated_user_meta` Runs when certain user metadata has changed. Example log message: "User 1 meta updated. Key: nickname."
- `user_register` Runs when a new user is registered. Example log message: "User 1 registered."
- `deleted_user` Runs when a user is deleted. Example log message: "User 1 deleted."
- `wp_login` Runs when a user logs in. Example log message: "User 1 logged in."
- `activated_plugin` Runs when a plugin is activated. Example log message: "Plugin wordpress-seo is activated."
- `delete_plugin` Runs when a plugin is deleted. Example log message: "Plugin wordpress-seo" is deleted.
- `switch_theme` Runs the theme changes. Example log message: "Theme switch to twentytwentytwo from twentytwentyone."
- `deleted_theme` Runs when a theme is deleted from the site. Example log message: "Theme twentytwentyone is deleted."
- `updated_option` Runs when one of a specified set of core options changes. Example log message: "Option `users_can_register` is updated."
- `added_option` Runs when one of a specified set of core options is added. Example log message: "Option `users_can_register` is added."

#### Filters

[](#filters-1)

- `tenup_experience_logged_user_meta_changes`

Filters the user meta keys whose changes should be logged.

- `tenup_support_monitor_logged_option_changes`

Filters the option keys whose changes should be logged.

- `tenup_support_monitor_log_item`

Filters whether to log a message.

- `tenup_support_monitor_max_activity_log_count`

Filters how many log items to store. Items are stored in array saved to the options table. Default is 500.

#### Constants

[](#constants-1)

- `TENUP_DISABLE_ACTIVITYLOG`

Define `TENUP_DISABLE_ACTIVITYLOG` as `true` to disable Activity Log.

### Environment Indicator

[](#environment-indicator)

To enhance user awareness and minimize the risk of making unintended changes, 10up Experience includes a visual indicator integrated into the admin bar. This feature clearly displays which environment (e.g., development, staging, production) the user is currently working in.

#### Filters

[](#filters-2)

- `tenup_experience_environments`

Allows customization of environment indicator labels, icons, and colors for the four supported WordPress environment types (production, staging, development, local).

**Example:**

```
add_filter( 'tenup_experience_environments', function( $environments ) {
    $environments['staging']['icon'] = 'dashicons-star-filled';
    $environments['staging']['background_color'] = '#ff6b00';
    return $environments;
} );
```

### Comments

[](#comments)

10up Experience includes a feature to disable comments across the site. This feature can be enabled or disabled in `Settings > General`. It is disabled by default.

On top of disabling the comment form, this feature removes the following:

- Comments from the admin menu.
- Comment blocks from the post editor.
- Comments from the admin bar.

#### WordPress 6.9+ Block Notes Compatibility

[](#wordpress-69-block-notes-compatibility)

As of version 1.18.0, the disable comments feature is fully compatible with Block Notes introduced in WordPress 6.9. Block Notes are a collaborative feedback feature that allows teams to leave contextual comments on blocks within the editor.

When comments are disabled, Block Notes will continue to function normally because they:

- Use a different comment type (`note` instead of `comment`)
- Rely on `edit_post` capability rather than comment capabilities
- Are only visible within the block editor, not on the frontend

This means you can safely disable traditional comments while still using Block Notes for editorial collaboration.

Note that disabling comments removes the comment UI, frontend display, and the ability to submit new comments, but it does not break code that *explicitly* queries for a specific comment type. Queries that explicitly request the `comment` type (or any allowed type such as `note`) are still honoured; only the default, untyped comment queries are short-circuited.

#### Constants

[](#constants-2)

- `TENUP_DISABLE_COMMENTS`

Define this as `true` to force disable comments or `false` to enable comments from a config file. Setting this constant will disable the UI for enabling/disabling comments in the admin.

#### Filters

[](#filters-3)

- `tenup_experience_disable_comments`

Filters whether to disable comments. Default is `false`. Defining this filter will disable the UI for enabling/disabling comments in the admin.

- `tenup_experience_disable_comments_allowed_types`

Filters the list of comment types that should bypass the disable comments feature. By default, this includes `note` for WordPress 6.9+ Block Notes. This allows plugins to extend the list of comment types that should continue to function when traditional comments are disabled.

Example:

```
add_filter( 'tenup_experience_disable_comments_allowed_types', function( $allowed_types ) {
    $allowed_types[] = 'custom_comment_type';
    return $allowed_types;
} );
```

- `tenup_experience_disable_comments_disallowed_blocks`

Filters the list of blocks that should be disallowed when comments are disabled. This is useful when core adds new blocks that aren't covered by the default list.

The default list of disallowed blocks is:

- `core/comment-author-name`
- `core/comment-content`
- `core/comment-date`
- `core/comment-edit-link`
- `core/comment-reply-link`
- `core/comment-template`
- `core/comments`
- `core/comments-pagination`
- `core/comments-pagination-next`
- `core/comments-pagination-numbers`
- `core/comments-pagination-previous`
- `core/comments-title`
- `core/post-comments`
- `core/post-comments-form`
- `core/latest-comments`

Support Level
-------------

[](#support-level)

**Active:** 10up is actively working on this, and we expect to continue work for the foreseeable future including keeping tested up to the most recent version of WordPress. Bug reports, feature requests, questions, and pull requests are welcome.

Changelog
---------

[](#changelog)

A complete listing of all notable changes to the 10up Experience Plugin are documented in [CHANGELOG.md](https://github.com/10up/10up-experience/blob/develop/CHANGELOG.md).

Like what you see?
------------------

[](#like-what-you-see)

[![](https://camo.githubusercontent.com/5ec5223fa6fe20a5ca00d8d768bd7ee91e93f67c9d7a06e575c87e3ed1d00263/68747470733a2f2f313075702e636f6d2f75706c6f6164732f323031362f31302f313075702d4769746875622d42616e6e65722e706e67)](http://10up.com/contact/)

###  Health Score

67

—

FairBetter than 99% of packages

Maintenance92

Actively maintained with recent releases

Popularity54

Moderate usage in the ecosystem

Community33

Small or concentrated contributor base

Maturity76

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~79 days

Recently: every ~99 days

Total

37

Last Release

23d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/3358927?v=4)[10up](/maintainers/10up)[@10up](https://github.com/10up)

![](https://avatars.githubusercontent.com/u/1915905?v=4)[Chris Marslender](/maintainers/cmmarslender)[@cmmarslender](https://github.com/cmmarslender)

---

Top Contributors

[![tlovett1](https://avatars.githubusercontent.com/u/1844351?v=4)](https://github.com/tlovett1 "tlovett1 (236 commits)")[![darylldoyle](https://avatars.githubusercontent.com/u/968731?v=4)](https://github.com/darylldoyle "darylldoyle (98 commits)")[![helen](https://avatars.githubusercontent.com/u/906334?v=4)](https://github.com/helen "helen (60 commits)")[![christianc1](https://avatars.githubusercontent.com/u/5025568?v=4)](https://github.com/christianc1 "christianc1 (31 commits)")[![jeffpaul](https://avatars.githubusercontent.com/u/2818133?v=4)](https://github.com/jeffpaul "jeffpaul (30 commits)")[![claytoncollie](https://avatars.githubusercontent.com/u/4236538?v=4)](https://github.com/claytoncollie "claytoncollie (28 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (17 commits)")[![johnwatkins0](https://avatars.githubusercontent.com/u/9020968?v=4)](https://github.com/johnwatkins0 "johnwatkins0 (13 commits)")[![kdo](https://avatars.githubusercontent.com/u/1147594?v=4)](https://github.com/kdo "kdo (9 commits)")[![sksaju](https://avatars.githubusercontent.com/u/11072036?v=4)](https://github.com/sksaju "sksaju (9 commits)")[![barryceelen](https://avatars.githubusercontent.com/u/4179791?v=4)](https://github.com/barryceelen "barryceelen (8 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (4 commits)")[![tylercherpak](https://avatars.githubusercontent.com/u/3385974?v=4)](https://github.com/tylercherpak "tylercherpak (4 commits)")[![fabiankaegy](https://avatars.githubusercontent.com/u/20684594?v=4)](https://github.com/fabiankaegy "fabiankaegy (4 commits)")[![felipeelia](https://avatars.githubusercontent.com/u/184628?v=4)](https://github.com/felipeelia "felipeelia (3 commits)")[![brentvr](https://avatars.githubusercontent.com/u/9355549?v=4)](https://github.com/brentvr "brentvr (3 commits)")[![psorensen](https://avatars.githubusercontent.com/u/6152801?v=4)](https://github.com/psorensen "psorensen (3 commits)")[![Ritesh-patel](https://avatars.githubusercontent.com/u/2941333?v=4)](https://github.com/Ritesh-patel "Ritesh-patel (2 commits)")[![joshuaabenazer](https://avatars.githubusercontent.com/u/1140479?v=4)](https://github.com/joshuaabenazer "joshuaabenazer (2 commits)")[![jamesmorrison](https://avatars.githubusercontent.com/u/141750?v=4)](https://github.com/jamesmorrison "jamesmorrison (2 commits)")

---

Tags

wordpress10up

### Embed Badge

![Health badge](/badges/10up-10up-experience/health.svg)

```
[![Health](https://phpackages.com/badges/10up-10up-experience/health.svg)](https://phpackages.com/packages/10up-10up-experience)
```

###  Alternatives

[roots/bedrock

WordPress boilerplate with Composer, easier configuration, and an improved folder structure

6.5k463.8k2](/packages/roots-bedrock)[helsingborg-stad/municipio

A bootstrap theme for creating municipality sites.

4028.5k10](/packages/helsingborg-stad-municipio)[prestashop/prestashop

PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers.

9.1k17.8k](/packages/prestashop-prestashop)[roots/wp-stage-switcher

WordPress plugin that allows you to switch between different environments from the admin bar

383469.2k3](/packages/roots-wp-stage-switcher)[vinkla/wordplate

The WordPlate boilerplate

2.2k5.3k](/packages/vinkla-wordplate)[mediawiki/maps

Adds various mapping features to MediaWiki

84152.3k3](/packages/mediawiki-maps)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
