In a multi-user WordPress environment, ensuring secure and controlled access to administrative functions is critical. By default, WordPress assigns capabilities to user roles like Administrator, Editor, and Author. However, in some cases, you may want to grant unrestricted access only to a specific user (e.g., the main site admin) while limiting others, even if they have administrative roles.
In this post, we’ll explore a custom function designed to enhance your site’s security by restricting the ability to install, activate, or deactivate themes and plugins, as well as manage users. This restriction applies to all users except the one with user ID 1—the primary admin.
Why Restrict Admin Capabilities?
Allowing multiple users to access sensitive admin functions increases the risk of unintended changes or vulnerabilities being introduced. For example:
- A user might install a poorly coded or outdated plugin, creating security vulnerabilities.
- Theme or plugin deactivation could break critical site functionality.
- Unauthorized user management could lead to privilege escalation or accidental user deletions.
By restricting these actions, you can maintain tighter control over your site’s integrity while still allowing other admins to perform day-to-day tasks.
The Custom Function
The custom function we’ll use adds a layer of protection by blocking access to:
- Theme and plugin management pages.
- User management screens.
It ensures that only the main administrator (user ID 1) retains full control while other admin users encounter a permission-denied message when attempting to access restricted areas.
Key Features of the Function
- User-Specific Access Control: The function identifies the current user and applies restrictions unless they are the main admin (user ID
1). - Comprehensive Blocking: Access to theme, plugin, and user management pages is disabled, ensuring sensitive settings remain unchanged.
- Customizable and Lightweight: You can easily adapt the code to suit your specific requirements without relying on external plugins.
Implementation
You can implement this function by adding the provided code snippet to your theme’s functions.php file or by creating a custom plugin. Once in place, your WordPress site gains an additional layer of security, reducing the risk of accidental or unauthorized changes by other users.
