WordPress

Preventing Users From Accessing wp-admin

If you have a WordPress site that you allow people to sign up for, you often don’t want them to be able to access wp-admin. It’s not that there are any security issues, you just want to ensure that your users are accessing your site in a predictable manner.

To block non-admin users from getting into wp-admin, you just need to add the following code to your functions.php, or somewhere similar:

add_action( 'init', 'blockusers_init' );

function blockusers_init() {
	if ( is_admin() && ! current_user_can( 'administrator' ) && 
	   ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
		wp_redirect( home_url() );
		exit;
	}
}

Ta-da! Now, only administrator users can access wp-admin, everyone else will be re-directed to the homepage.

Standard

29 thoughts on “Preventing Users From Accessing wp-admin

  1. Acts7 says:

    Another item you may want to do is remove the admin bar for non-admin users.

    // remove admin bar for non publishers
    function my_function_admin_bar($content) {
    return ( current_user_can(“administrator”) ) ? $content : false;
    }
    add_filter( ‘show_admin_bar’ , ‘my_function_admin_bar’);

    • Your code didn’t work for me, but this did:

      add_action(‘after_setup_theme’, ‘remove_admin_bar’);
      function remove_admin_bar() {
      if (!current_user_can(‘administrator’) && !is_admin()) {
      show_admin_bar(false);
      }
      }

  2. Nice and neat, this code only blocks the display of the WP-Admin and users can still run actions (i.e. sending specific POST requests) or does it disable both display and access?

    • Jane says:

      Thank you for the code, it worked for me as well. However, I noticed a loophole in wp-admin. A user that first signs in through normal channels can put /wp-admin into the browser and get access. Is there a way of re-routing this as well?

  3. Renan Vieira says:

    There is a simple way to remove the admin bar, just add to functions.php the following line:

    show_admin_bar(false);

    []‘s

  4. Pingback: [TUTORIAL] Restrict Multisite Users from accessing wp-admin pages even outside ClassiPress

  5. texorama says:

    i’m seeing this break front-end AJAX, like in bbPress, where a logged-in user can Favorite or Subscribe To a topic. Those links use ajax, which actually calls an Admin URL (i’m not clear why): admin_url( ‘admin-ajax.php’ ). So blocking a user from the WP-Admin backend this way, seems to also block him from using ajax (at least in bbPress, or other plugins that do ajax this way). I’m not a plugin developer, so i’m not familiar.

  6. Useful function, although I might recommend hooking this into admin_init instead of init, that way it won’t even bother doing all the conditional logic on front-end pages.

  7. CA says:

    Hi
    but if that script is running and i come along as an Admin user to login, how can I see the /wp-admin page to actually login myself ?

  8. ScottD says:

    Is there any way to modify this so that anyone who has an account lower than an Author can’t access wp-admin? Basically, I only want Authors, Editors, and the Administrator to have access to wp-admin.

  9. Pingback: DAN SULESKI | Preventing users from accessing wp-admin

  10. the code is very good one and work ok with wordpress 3.8
    but , there a problem :
    after pasting it in function.php file , the user ( author ) couldn’t upload image in the front end post form

    do you have any answer for this ?? please

  11. Pingback: How to Limit Access to Your WordPress Dashboard - WPMU DEV

Leave a Reply