
Block Access to wp-admin and WordPress Dashboard
Published on October 1, 2012
There is a couple of reasons why you would want to ban access to wp-admin folder or WordPress dashboard in general for regular users. Some websites allow commenting only for registered users but after the user is signed on he can access the WordPress dashboard. Granted, there's not much he can do there if his role is Subscriber, but you might want to prevent access nonetheless.
Basic WordPress user redirection
Most articles on this topic encourages the technique of detecting when someone other than admin tries to access wp-admin folder and just redirects him to the front page. This seems fine but it has one major drawback: AJAX powered plugins (pools, contact forms, etc) won't work because your are banning the access to admin-ajax.php WordPress file which handles those requests. Don't let the "admin" part of the file name fool you, it's also used for handling the requests coming from the frontend. Also, members that have Editor rights won't be able to write articles.
So what's the solution? Allow the visitor to send POST data only to admin-ajax.php file and ban everything else directed to wp-admin folder and wp-login.php. Check out the code below and just place it inside of your theme's functions.php.
Blocking the dashboard but allowing login page
Code below will allow the users to access only the default WordPress login page, once signed in they will not be able to see the dashboard.
functions.phpfunction block_dashboard() { $file = basename($_SERVER['PHP_SELF']); if (is_user_logged_in() && is_admin() && !current_user_can('edit_posts') && $file != 'admin-ajax.php'){ wp_redirect( home_url() ); exit(); } } add_action('init', 'block_dashboard');
Using conditional tag is_user_logged_in() we are allowing the access to the login page. Once the user is logged in he won't be able to access the wp-admin section again. You might want to add a logout link somewhere on your website so the user can end his session.
header.phpif(is_user_logged_in()) { <a href="<?php echo wp_logout_url( home_url() ); ?>">Logout</a> }
Completely blocking the login page and dashboard
If you have a frontend login system then blocking the default WordPress login page, together with the dashboard, might come in handy.
functions.phpfunction block_wpadmin() { $file = basename($_SERVER['PHP_SELF']); if ($file == 'wp-login.php' || is_admin() && !current_user_can('edit_posts') && $file != 'admin-ajax.php'){ wp_redirect( home_url() ); exit(); } } add_action('init', 'block_wpadmin');
That's it! Any plugin using AJAX will function as it should and your dashboard is only accessible to your staff and yourself.
Comments (3)
Jonathan on March 26, 2015
I had a simular solution, but came into trouble with ma pug-in with ajax function.
Using $_SERVER is not a good solutin because hackers can alter it.
I found a beter and more simple solution.
I’m not using is_user_logged_in() or is_admin() because I only use it on the admin_init.
But even on the front_end ajax gave me problems which seems strange, any way here is my solution:
function stop_access_dashboard()
{
if (current_user_can(‘subscriber’)&& !(defined(‘DOING_AJAX’) && DOING_AJAX))
{
wp_redirect( home_url() );
exit;
}
}
add_action( ‘admin_init’, ‘stop_access_dashboard’ );
You can also use a userrole plug-in and remove the “read” cappability from your subscribers, this should have the same effect blocking access to the dashboard.
also nice is to remove the adminbar like so:
if (current_user_can(‘subscriber’)) {
add_filter(‘show_admin_bar’, ‘__return_false’);
}
Regards,
Jonathan
Jon on September 5, 2018
This worked but beware, the solution may affect some wordpress functions you want to retain.
This caught me out and took a while to find the cause.
e.g.
If your wordpress site is customised, using Advanced Custom Fields or a similar plugin, you probably want to use the WP uploader & media library front ends, so your users can upload images using that fancy interface.
If so – and if using this redirect solution – the interface will seem to work, but all attempts to upload images will fail with the annoyingly mysterious “HTTP error” message in the uploader interface. Digging deep into headers and things, I found this to be a “302” error, from async_upload.php. In short, the above redirect was happening on the wordpress media upload function, for any users outside the conditional range of the filter code i.e. subscribers etc.
wallel on September 6, 2018
thank you so much!