users - How to restrict dashboard access to Admins only?

admin管理员组

文章数量:1021396

How would we restrict access to the WP admin area to all users except admins?
The users on our site have their own profile pages which do all the functions they need.

So admin should be off limits to all except admins.

How to do that?

How would we restrict access to the WP admin area to all users except admins?
The users on our site have their own profile pages which do all the functions they need.

So admin should be off limits to all except admins.

How to do that?

• wp-admin
• users

Share Improve this question edited Oct 20, 2012 at 2:55 brasofilo 22.1k88 gold badges7070 silver badges265265 bronze badges asked Mar 5, 2011 at 15:15 Robin I KnightRobin I Knight 1,56177 gold badges2121 silver badges2828 bronze badges 3

• You mean there are 'front facing' user pages that don't require accessing anything located at yourdomain/wp-admin ? – curtismchale Commented Mar 5, 2011 at 15:37
• Yes exactly. Is there something wrong with that? – Robin I Knight Commented Mar 5, 2011 at 15:42
• Nope just clarifying. – curtismchale Commented Mar 6, 2011 at 2:01

Add a comment  | 

8 Answers 8

Sorted by: Reset to default 21

We can hook to the admin_init action and check if the user is an administrator by using the current_user_can() function to see if the current user can manage_options, which is something only an administrator can do.

This code, when pasted into your functions.php file, will display a message when a non-admin tries to access the dashboard:

function wpse_11244_restrict_admin() {

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
        return;
    }

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die( __( 'You are not allowed to access this part of the site' ) );
    }
}

add_action( 'admin_init', 'wpse_11244_restrict_admin', 1 );

If you prefer, you can provide better user experience by redirecting the user to the home page instead:

function wpse_11244_restrict_admin() {

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
        return;
    }

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_redirect( home_url() );
        exit;
    }
}

add_action( 'admin_init', 'wpse_11244_restrict_admin', 1 );

If you want to redirect the user to their profile page, replace home_url() in the code above with the link.

You could write a plugin and hook into admin_init.

The codex actually gives an example with the feature you are looking for.

http://codex.wordpress/Plugin_API/Action_Reference/admin_init#Example:_Access_control

Some of the answers given can be fine in most situations but I think none of them warranty to do exactly what is asked because none of the answers check user roles, they check capabilities and capabilities can be assigned and removed form roles. So, to give a exact answer, the user roles must be checked, not capabilities:

add_action( 'admin_init', 'allow_admin_area_to_admins_only');
function allow_admin_area_to_admins_only() {

      if( defined('DOING_AJAX') && DOING_AJAX ) {
            //Allow ajax calls
            return;
      }

      $user = wp_get_current_user();

      if( empty( $user ) || !in_array( "administrator", (array) $user->roles ) ) {
           //Redirect to main page if no user or if the user has no "administrator" role assigned
           wp_redirect( get_site_url( ) );
           exit();
      }

 }

If you want to check that the user has "manage_options" capability, you can. In fact, it is the best option in most cases. Although this capability is associated by default to administrator users, the capability can be removed from admin role or it can be assigned to other user roles. That is why, in most cases, checking what the user can or can not do is better than checking the user role. So, in most cases checking for capabilities should be the choosen way but you mush have this concept clear and choose the best option for your situation and purpose:

add_action( 'admin_init', 'admin_area_for_manage_options_only');
function admin_area_for_manage_options_only() {

      if( defined('DOING_AJAX') && DOING_AJAX ) {
            //Allow ajax calls
            return;
      }


      if( ! current_user_can( "manage_options" ) ) {
           //Redirect to main page if the user has no "manage_options" capability
           wp_redirect( get_site_url( ) );
           exit();
      }

 }

Try the Adminimize plugin.
You can lock things down pretty well with that.

You could also try setting access up through htaccess file

function wpse_11244_restrict_admin() {
    if (!current_user_can('update_core')) {
        wp_die(__('You are not allowed to access this part of the site'));
    }
}

add_action('admin_init', 'wpse_11244_restrict_admin', 1);

Put these lines in your functions.php

function baw_no_admin_access()
{
 if( !current_user_can( 'administrator' ) ) {
     wp_redirect( home_url() );
     die();
  }
}
add_action( 'admin_init', 'baw_no_admin_access', 1 );

Try this, never through errors in face of an end user. Against a good UX. This code redirects them to Home.

    add_action( 'init', 'blockusers_init' );
function blockusers_init() {
if ( is_admin() && ! current_user_can( 'administrator' ) &&
! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
wp_redirect( home_url() );
exit;
}
}

I would use WP Frontend and set it for everybody expect admins.

How would we restrict access to the WP admin area to all users except admins?
The users on our site have their own profile pages which do all the functions they need.

So admin should be off limits to all except admins.

How to do that?

How would we restrict access to the WP admin area to all users except admins?
The users on our site have their own profile pages which do all the functions they need.

So admin should be off limits to all except admins.

How to do that?

• wp-admin
• users

Share Improve this question edited Oct 20, 2012 at 2:55 brasofilo 22.1k88 gold badges7070 silver badges265265 bronze badges asked Mar 5, 2011 at 15:15 Robin I KnightRobin I Knight 1,56177 gold badges2121 silver badges2828 bronze badges 3

• You mean there are 'front facing' user pages that don't require accessing anything located at yourdomain/wp-admin ? – curtismchale Commented Mar 5, 2011 at 15:37
• Yes exactly. Is there something wrong with that? – Robin I Knight Commented Mar 5, 2011 at 15:42
• Nope just clarifying. – curtismchale Commented Mar 6, 2011 at 2:01

Add a comment  | 

8 Answers 8

Sorted by: Reset to default 21

We can hook to the admin_init action and check if the user is an administrator by using the current_user_can() function to see if the current user can manage_options, which is something only an administrator can do.

This code, when pasted into your functions.php file, will display a message when a non-admin tries to access the dashboard:

function wpse_11244_restrict_admin() {

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
        return;
    }

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die( __( 'You are not allowed to access this part of the site' ) );
    }
}

add_action( 'admin_init', 'wpse_11244_restrict_admin', 1 );

If you prefer, you can provide better user experience by redirecting the user to the home page instead:

function wpse_11244_restrict_admin() {

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
        return;
    }

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_redirect( home_url() );
        exit;
    }
}

add_action( 'admin_init', 'wpse_11244_restrict_admin', 1 );

If you want to redirect the user to their profile page, replace home_url() in the code above with the link.

You could write a plugin and hook into admin_init.

The codex actually gives an example with the feature you are looking for.

http://codex.wordpress/Plugin_API/Action_Reference/admin_init#Example:_Access_control

Some of the answers given can be fine in most situations but I think none of them warranty to do exactly what is asked because none of the answers check user roles, they check capabilities and capabilities can be assigned and removed form roles. So, to give a exact answer, the user roles must be checked, not capabilities:

add_action( 'admin_init', 'allow_admin_area_to_admins_only');
function allow_admin_area_to_admins_only() {

      if( defined('DOING_AJAX') && DOING_AJAX ) {
            //Allow ajax calls
            return;
      }

      $user = wp_get_current_user();

      if( empty( $user ) || !in_array( "administrator", (array) $user->roles ) ) {
           //Redirect to main page if no user or if the user has no "administrator" role assigned
           wp_redirect( get_site_url( ) );
           exit();
      }

 }

If you want to check that the user has "manage_options" capability, you can. In fact, it is the best option in most cases. Although this capability is associated by default to administrator users, the capability can be removed from admin role or it can be assigned to other user roles. That is why, in most cases, checking what the user can or can not do is better than checking the user role. So, in most cases checking for capabilities should be the choosen way but you mush have this concept clear and choose the best option for your situation and purpose:

add_action( 'admin_init', 'admin_area_for_manage_options_only');
function admin_area_for_manage_options_only() {

      if( defined('DOING_AJAX') && DOING_AJAX ) {
            //Allow ajax calls
            return;
      }


      if( ! current_user_can( "manage_options" ) ) {
           //Redirect to main page if the user has no "manage_options" capability
           wp_redirect( get_site_url( ) );
           exit();
      }

 }

Try the Adminimize plugin.
You can lock things down pretty well with that.

You could also try setting access up through htaccess file

function wpse_11244_restrict_admin() {
    if (!current_user_can('update_core')) {
        wp_die(__('You are not allowed to access this part of the site'));
    }
}

add_action('admin_init', 'wpse_11244_restrict_admin', 1);

Put these lines in your functions.php

function baw_no_admin_access()
{
 if( !current_user_can( 'administrator' ) ) {
     wp_redirect( home_url() );
     die();
  }
}
add_action( 'admin_init', 'baw_no_admin_access', 1 );

Try this, never through errors in face of an end user. Against a good UX. This code redirects them to Home.

    add_action( 'init', 'blockusers_init' );
function blockusers_init() {
if ( is_admin() && ! current_user_can( 'administrator' ) &&
! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
wp_redirect( home_url() );
exit;
}
}

I would use WP Frontend and set it for everybody expect admins.

本文标签： usersHow to restrict dashboard access to Admins only