Preventing Users From Accessing wp-admin

If you have a WordPress site that you allow people to sign up for, you often don’t want them to be able to access wp-admin. It’s not that there are any security issues, you just want to ensure that your users are accessing your site in a predictable manner.

To block non-admin users from getting into wp-admin, you just need to add the following code to your functions.php, or somewhere similar:

add_action( 'init', 'blockusers_init' );

function blockusers_init() {
	if ( is_admin() && ! current_user_can( 'administrator' ) && 
	   ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
		wp_redirect( home_url() );
		exit;
	}
}

Ta-da! Now, only administrator users can access wp-admin, everyone else will be re-directed to the homepage.

31 thoughts on “Preventing Users From Accessing wp-admin”

  1. Another item you may want to do is remove the admin bar for non-admin users.

    // remove admin bar for non publishers
    function my_function_admin_bar($content) {
    return ( current_user_can(“administrator”) ) ? $content : false;
    }
    add_filter( ‘show_admin_bar’ , ‘my_function_admin_bar’);

    1. Your code didn’t work for me, but this did:

      add_action(‘after_setup_theme’, ‘remove_admin_bar’);
      function remove_admin_bar() {
      if (!current_user_can(‘administrator’) && !is_admin()) {
      show_admin_bar(false);
      }
      }

  2. Nice and neat, this code only blocks the display of the WP-Admin and users can still run actions (i.e. sending specific POST requests) or does it disable both display and access?

    1. Thank you for the code, it worked for me as well. However, I noticed a loophole in wp-admin. A user that first signs in through normal channels can put /wp-admin into the browser and get access. Is there a way of re-routing this as well?

  3. There is a simple way to remove the admin bar, just add to functions.php the following line:

    show_admin_bar(false);

    []’s

  4. i’m seeing this break front-end AJAX, like in bbPress, where a logged-in user can Favorite or Subscribe To a topic. Those links use ajax, which actually calls an Admin URL (i’m not clear why): admin_url( ‘admin-ajax.php’ ). So blocking a user from the WP-Admin backend this way, seems to also block him from using ajax (at least in bbPress, or other plugins that do ajax this way). I’m not a plugin developer, so i’m not familiar.

  5. Useful function, although I might recommend hooking this into admin_init instead of init, that way it won’t even bother doing all the conditional logic on front-end pages.

  6. Hi
    but if that script is running and i come along as an Admin user to login, how can I see the /wp-admin page to actually login myself ?

  7. Is there any way to modify this so that anyone who has an account lower than an Author can’t access wp-admin? Basically, I only want Authors, Editors, and the Administrator to have access to wp-admin.

    1. OK, after posting this question I found a solution here: http://wordpress.stackexchange.com/questions/66093/how-to-prevent-access-to-wp-admin-for-certain-user-roles

      Basically just change the USER_ROLE_NAME_HERE and 2ND_ROLE_NAME_HERE to the user roles you DON’T want to access wp-admin.

      In my case ‘subscriber’ and ‘contributor’. For anyone else, if there’s only one role that needs to be blocked just remove the line that says OR current_user_can( ‘2ND_ROLE_NAME_HERE’ ), or if there are more than two, copy that line as many times as needed and replace 2ND_ROLE_NAME_HERE with whatever roles you need to block.

      Works great!

  8. the code is very good one and work ok with wordpress 3.8
    but , there a problem :
    after pasting it in function.php file , the user ( author ) couldn’t upload image in the front end post form

    do you have any answer for this ?? please

Leave a Reply