Nathan Wrigley interviews Russell Aaron on a little-known WordPress admin page: wp-admin/options.php. Russell, a WordPress power user since 2004 and developer since 2011, describes options.php as a legacy but useful tool that exposes the entire wp_options table in a single editable form.
What options.php is
– Visiting example.com/wp-admin/options.php (while logged in) shows “All Settings” — a two-column form of option names and their values drawn straight from the database.
– Most values are editable and can be saved from that single large form. The page includes a warning: direct access to site settings can break things.
Why it exists
– Likely a legacy feature intended to surface settings stored in the options table, from early WordPress days. It’s effectively the largest form in WordPress: a quick way to view (and edit) the options table without opening phpMyAdmin or other DB tools.
Common reactions and concerns
– Many long-time users never knew this page existed; it’s not linked visibly in the admin UI, though the Settings sidebar item will be highlighted when the page is open.
– The editable nature raises risk: changing values accidentally (missing punctuation, wrong format) can break plugins or the site. Because it’s hidden and undocumented, there are no tooltips or explanations about each option, so careless edits are dangerous.
– Despite the risk, Russell notes it’s not commonly implicated in site compromises. Access requires the manage_options capability (typically administrators), which reduces exposure.
Practical uses
– Plugin development and support: Russell uses it locally to confirm whether plugins are setting or removing options (e.g., checking if uninstall.php correctly removes plugin data). It’s faster than opening a database tool for quick checks.
– Hunting license keys, plugin states, or other option values that are otherwise buried in serialized data or obscure option names.
– It can be more readable and quicker to scan than raw database tables for certain tasks.
Limitations
– No built-in search/filter — use the browser’s find to locate keys or values.
– No descriptive documentation or context for keys; default core options and third-party options appear together without explanation.
– Multi-site: the page shows per-site options in the site’s dashboard. For network-level options you’d need to view the network site’s admin.
Security and best practice
– Only administrators (manage_options capability) can access it — don’t hand out admin accounts lightly.
– Heed the warning on the page: avoid editing unless you know exactly what a change does. Back up the site before editing.
– For persistent or risky changes, use proper DB tools or scripted updates; use options.php for inspections and quick checks, not bulk edits unless confident.
Anecdote and takeaway
– Russell admits he once broke a site by editing plugin activation data in options.php (a typo caused issues). That reinforces the “don’t touch unless you know what you’re doing” advice.
– The page’s existence is an interesting reminder that WordPress includes legacy, developer-facing surfaces that many users never see. It’s useful, but hazardous if used carelessly.
If curious: while logged in as an administrator, visit /wp-admin/options.php to view your options table. Look, but don’t edit unless you have a backup and understand the consequences.