If you have a WordPress site that you allow people to sign up for, you often don’t want them to be able to access wp-admin. It’s not that there are any security issues, you just want to ensure that your users are accessing your site in a predictable manner.
To block non-admin users from getting into wp-admin, you just need to add the following code to your functions.php, or somewhere similar:
add_action( 'init', 'blockusers_init' );
function blockusers_init() {
if ( is_admin() && ! current_user_can( 'administrator' ) &&
! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
wp_redirect( home_url() );
exit;
}
}
Ta-da! Now, only administrator users can access wp-admin, everyone else will be re-directed to the homepage.
Comments
33 responses to “Preventing Users From Accessing wp-admin”
Another item you may want to do is remove the admin bar for non-admin users.
// remove admin bar for non publishers
function my_function_admin_bar($content) {
return ( current_user_can(“administrator”) ) ? $content : false;
}
add_filter( ‘show_admin_bar’ , ‘my_function_admin_bar’);
Your code didn’t work for me, but this did:
add_action(‘after_setup_theme’, ‘remove_admin_bar’);
function remove_admin_bar() {
if (!current_user_can(‘administrator’) && !is_admin()) {
show_admin_bar(false);
}
}
bang on that’s exactly what i was looking for one of my clients website. Thanks..!
Nice and neat, this code only blocks the display of the WP-Admin and users can still run actions (i.e. sending specific POST requests) or does it disable both display and access?
Thank you for the code, it worked for me as well. However, I noticed a loophole in wp-admin. A user that first signs in through normal channels can put /wp-admin into the browser and get access. Is there a way of re-routing this as well?
I found a code over at natko.com which blocks users who are signed in too and gets them redirected to homepage.
Xavi: the `init` action is run before anything interesting happens in the wp-admin code, so yes. It disables both display and access.
Nice, thats great. I was looking for some plugin. But that is better
There is a simple way to remove the admin bar, just add to functions.php the following line:
show_admin_bar(false);
[]’s
[…] how I accomplished it. Note: this code was written by someone else (not me), and I found it here: http://pento.net/2011/06/19/preventi…sing-wp-admin/ PHP Code: […]
i’m seeing this break front-end AJAX, like in bbPress, where a logged-in user can Favorite or Subscribe To a topic. Those links use ajax, which actually calls an Admin URL (i’m not clear why): admin_url( ‘admin-ajax.php’ ). So blocking a user from the WP-Admin backend this way, seems to also block him from using ajax (at least in bbPress, or other plugins that do ajax this way). I’m not a plugin developer, so i’m not familiar.
Thanks for pointing that out – I’ve added an extra check for DOING_AJAX. π
hmm, seems right, but didn’t actually work, for me.
yes, it works π THnaks π
Is there a way to use this for wp-login.php?
Useful function, although I might recommend hooking this into admin_init instead of init, that way it won’t even bother doing all the conditional logic on front-end pages.
Thanks Andrew,
This code work for me. great
How do i allow CONTRIBUTORS alone to access that page ?
No SUBSCRIBERS, should enter there.
Any code for that ?
Hi
but if that script is running and i come along as an Admin user to login, how can I see the /wp-admin page to actually login myself ?
You actually login from /wp-login.php, which isn’t affected by this code.
Is there any way to modify this so that anyone who has an account lower than an Author can’t access wp-admin? Basically, I only want Authors, Editors, and the Administrator to have access to wp-admin.
OK, after posting this question I found a solution here: http://wordpress.stackexchange.com/questions/66093/how-to-prevent-access-to-wp-admin-for-certain-user-roles
Basically just change the USER_ROLE_NAME_HERE and 2ND_ROLE_NAME_HERE to the user roles you DON’T want to access wp-admin.
In my case ‘subscriber’ and ‘contributor’. For anyone else, if there’s only one role that needs to be blocked just remove the line that says OR current_user_can( ‘2ND_ROLE_NAME_HERE’ ), or if there are more than two, copy that line as many times as needed and replace 2ND_ROLE_NAME_HERE with whatever roles you need to block.
Works great!
[…] Not quite certain why this must be explicitly coded outside of WordPress, but something to keep in mind:http://pento.net/2011/06/19/preventing-users-from-accessing-wp-admin […]
Thanks a lot, I love the hack and it works just fine for me. Couldn’t leave without leaving a comment…
tks!
thanks helped for me to solve for my website.
the code is very good one and work ok with wordpress 3.8
but , there a problem :
after pasting it in function.php file , the user ( author ) couldn’t upload image in the front end post form
do you have any answer for this ?? please
I have found exact plugin for this functions
http://wordpress.org/plugins/wp-block-admin/
[…] to Gary Pendergast for this fantastic […]
Thank you just google your ass and your code has save me from installing other plugins. once again Gary Thank you π
Hi. I would like the wp-admin to be accessed by administrator and editor users only. How is this possible?
[…] (Source: Gary Pendergast) […]
[…] Not quite certain why this must be explicitly coded outside of WordPress, but something to keep in mind:http://pento.net/2011/06/19/preventing-users-from-accessing-wp-admin […]