How to restrict dashboard access to Admins only?

1 Views

How would we restrict access to the WP admin area to all users except admins?
The users on our site have their own profile pages which do all the functions they need.

So admin should be off limits to all except admins.

Read More

How to do that?

Post Views: 1

Related posts

Leave a Reply

8 comments

  1. We can hook to the admin_init action and check if the user is an administrator by using the current_user_can() function to see if the current user can manage_options, which is something only an administrator can do.

    This code, when pasted into your functions.php file, will display a message when a non-admin tries to access the dashboard:

    function wpse_11244_restrict_admin() {

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
        return;
    }

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die( __( 'You are not allowed to access this part of the site' ) );
    }
}

add_action( 'admin_init', 'wpse_11244_restrict_admin', 1 );

    If you prefer, you can provide better user experience by redirecting the user to the home page instead:

    function wpse_11244_restrict_admin() {

    if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
        return;
    }

    if ( ! current_user_can( 'manage_options' ) ) {
        wp_redirect( home_url() );
        exit;
    }
}

add_action( 'admin_init', 'wpse_11244_restrict_admin', 1 );

    If you want to redirect the user to their profile page, replace home_url() in the code above with the link.

  3. Some of the answers given can be fine in most situations but I think none of them warranty to do exactly what is asked because none of the answers check user roles, they check capabilities and capabilities can be assigned and removed form roles. So, to give a exact answer, the user roles must be checked, not capabilities:

    add_action( 'admin_init', 'allow_admin_area_to_admins_only');
function allow_admin_area_to_admins_only() {

      if( defined('DOING_AJAX') && DOING_AJAX ) {
            //Allow ajax calls
            return;
      }

      $user = wp_get_current_user();

      if( empty( $user ) || !in_array( "administrator", (array) $user->roles ) ) {
           //Redirect to main page if no user or if the user has no "administrator" role assigned
           wp_redirect( get_site_url( ) );
           exit();
      }

 }

    If you want to check that the user has “manage_options” capability, you can. In fact, it is the best option in most cases. Although this capability is associated by default to administrator users, the capability can be removed from admin role or it can be assigned to other user roles. That is why, in most cases, checking what the user can or can not do is better than checking the user role. So, in most cases checking for capabilities should be the choosen way but you mush have this concept clear and choose the best option for your situation and purpose:

    add_action( 'admin_init', 'admin_area_for_manage_options_only');
function admin_area_for_manage_options_only() {

      if( defined('DOING_AJAX') && DOING_AJAX ) {
            //Allow ajax calls
            return;
      }


      if( ! current_user_can( "manage_options" ) ) {
           //Redirect to main page if the user has no "manage_options" capability
           wp_redirect( get_site_url( ) );
           exit();
      }

 }

  5. function wpse_11244_restrict_admin() {
    if (!current_user_can('update_core')) {
        wp_die(__('You are not allowed to access this part of the site'));
    }
}

add_action('admin_init', 'wpse_11244_restrict_admin', 1);

  6. Put these lines in your functions.php

    function baw_no_admin_access()
{
 if( !current_user_can( 'administrator' ) ) {
     wp_redirect( home_url() );
     die();
  }
}
add_action( 'admin_init', 'baw_no_admin_access', 1 );

  7. Try this, never through errors in face of an end user. Against a good UX. This code redirects them to Home.

        add_action( 'init', 'blockusers_init' );
function blockusers_init() {
if ( is_admin() && ! current_user_can( 'administrator' ) &&
! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
wp_redirect( home_url() );
exit;
}
}