# BrenWP Client Safe Mode – Usage Guide (v1.7.2) This guide is written for **first‑time users**. It focuses on a safe, minimal setup first, and then optional “Advanced” features. --- ## 1) What this plugin does (in one minute) **Safe Mode (per user)** Lets *you* (or another admin) enable a “safer admin view” while troubleshooting. When Safe Mode is enabled, the plugin can hide risky UI areas and block certain admin screens to reduce accidental changes. **Client Restrictions (role-based)** Applies restrictions to selected roles (typically `editor`, `author`, sometimes `shop_manager`) to make client handoff safer and reduce support load. **Activity Log (optional)** Records key plugin actions and can be exported (JSON/CSV) for audit and troubleshooting. --- ## 2) Quick Start (first-time setup) 1. **Install & Activate** the plugin. 2. Go to **BrenWP → Quick Start** and confirm **Enforcement** is enabled. - The **About** content is available as an **About** tab at the end of the top navigation. - If you want a one-click file export of settings, enable **Settings export download** in **Site Settings** (default OFF). 3. Go to **Safe Mode**: - Settings are grouped into **Quick setup**, **Recommended protections**, and a collapsed **Advanced** panel. - Keep defaults. - Ensure your admin role is allowed to toggle Safe Mode. 4. Go to **Restrictions**: - Settings are grouped into **Who is restricted**, **Recommended restrictions**, and a collapsed **Advanced** panel. - Select the roles you want to restrict (recommended: `editor` first). - Enable only the restriction toggles you truly need. 5. **Test with a staging user**: - Create a test user with the restricted role. - Log in as that user and confirm menus/screens behave as expected. Recommendation for production rollout: - Start with **light restrictions**, then tighten after 1–2 days based on client feedback. --- ## 3) Safe Mode (for your own account) ### Enable / Disable - Use the **Admin Bar toggle** (“Safe Mode”) when logged in. - Or use **BrenWP → Safe Mode**. ### Auto-off (optional) - You can set an auto-off timer in minutes. - If enabled, Safe Mode will turn off automatically after the configured time. ### Lockout safety If Safe Mode is enabled for your account, you can **always disable it**, even if your role changes later. This prevents “stuck Safe Mode” incidents. --- ## 4) Admin-managed Safe Mode (for other users) This is an optional tool for administrators. ### Enable it 1. Go to **BrenWP → Safe Mode** 2. In **Advanced** settings enable: - **Allow admins to manage Safe Mode for other users** ### Use it 1. Open the **Admin-managed Safe Mode for other users** panel. 2. Search for a user (type at least 2 characters). 3. Select the user. 4. Choose: - **Enable Safe Mode** (optional expiry minutes), or - **Disable Safe Mode** ### Multisite rules - Non-super-admin users cannot manage Safe Mode for super-admin accounts. - Only users belonging to the current site/blog can be targeted. --- ## 5) Client Restrictions (role-based) ### Recommended baseline (simple) For first-time usage, consider enabling only: - Hide Help/Screen Options (optional) - Hide Screen Options only (optional) - Block Tools screens (Tools/Import/Export) (optional) - Hide Admin Bar on the front end (optional) - Block Customizer access (optional) - Block Users screens (optional) - 2FA reminder notice (optional; notice only) Then add stronger restrictions only if needed. ### Targeting You can apply restrictions: - by role (typical), and optionally - by a specific user account (advanced) --- ## 6) Custom admin screen blocklists (Advanced) You can add custom screens to block as one entry per line. Examples: - `tools.php` - `plugins.php` - `edit.php?post_type=page` - `admin.php?page=some-plugin-page` Rules: - Use **one entry per line** - Prefer **exact query keys** (e.g. `post_type=page`) to avoid overblocking Safety: - The plugin never blocks critical endpoints like `admin-ajax.php` or `admin-post.php`. - The plugin never blocks its own settings screen, to prevent lockouts. --- ## 7) Activity log (export + retention) ### Export Go to **BrenWP → Logs**: - Export as **JSON** or **CSV** Exports are “privacy-by-default”: common sensitive values in log context are redacted. ### Retention In **General** settings you can set: - **Retention days** (auto-prune) - **Max entries** (ring buffer) Auto-prune runs daily via WP-Cron. On low-traffic sites, pruning may occur later (normal WP-Cron behavior). --- ## 8) Troubleshooting ### A) I blocked too much / client can’t access something - Temporarily reduce restrictions. - Remove custom blocklist entries and save. ### B) A user is stuck in Safe Mode - As admin, use **Admin-managed Safe Mode** panel to disable it for that user. ### C) Export is blocked / empty - Ensure Activity Log is enabled. - Confirm you have admin capability to manage this plugin. --- ## 9) Security notes - All state-changing actions use **POST-only + nonce + capability checks**. - The plugin does **not** store sensitive information (passwords/tokens) in logs. - Multisite safeguards prevent accidental targeting of super-admin accounts by non-super-admins. --- ## 7) Optional security reminders and exports ### 2FA reminder notice (Restrictions) If enabled, restricted users will see a small, dismissible notice that encourages enabling Two‑Factor Authentication (2FA). This is a **notice only** feature; it does not install or configure any 2FA plugin. ### Settings export download (General) If enabled, administrators can download a JSON settings file using a nonce‑protected endpoint. This is useful for backups and for moving a configuration between environments.