In a multi-user WordPress environment, ensuring secure and controlled access to administrative functions is critical. By default, WordPress assigns capabilities to user roles like Administrator, Editor, and Author. However, in some cases, you may want to grant unrestricted access only to a specific user (e.g., the main site admin) while limiting others, even if they have administrative roles.
In this post, we’ll explore a custom function designed to enhance your site’s security by restricting the ability to install, activate, or deactivate themes and plugins, as well as manage users. This restriction applies to all users except the one with user ID 1—the primary admin.
Why Restrict Admin Capabilities?
Allowing multiple users to access sensitive admin functions increases the risk of unintended changes or vulnerabilities being introduced. For example:
- A user might install a poorly coded or outdated plugin, creating security vulnerabilities.
- Theme or plugin deactivation could break critical site functionality.
- Unauthorized user management could lead to privilege escalation or accidental user deletions.
By restricting these actions, you can maintain tighter control over your site’s integrity while still allowing other admins to perform day-to-day tasks.
The Custom Function
The custom function we’ll use adds a layer of protection by blocking access to:
- Theme and plugin management pages.
- User management screens.
It ensures that only the main administrator (user ID 1) retains full control while other admin users encounter a permission-denied message when attempting to access restricted areas.
Key Features of the Function
- User-Specific Access Control: The function identifies the current user and applies restrictions unless they are the main admin (user ID
1). - Comprehensive Blocking: Access to theme, plugin, and user management pages is disabled, ensuring sensitive settings remain unchanged.
- Customizable and Lightweight: You can easily adapt the code to suit your specific requirements without relying on external plugins.
Implementation
You can implement this function by adding the provided code snippet to your theme’s functions.php file or by creating a custom plugin. Once in place, your WordPress site gains an additional layer of security, reducing the risk of accidental or unauthorized changes by other users.
| <?php | |
| /** | |
| * Prevent administrators from managing themes, plugins, and users | |
| * Excludes user with ID 1 from all restrictions | |
| * Add this code to your theme's functions.php file or in a custom plugin | |
| */ | |
| function should_restrict_user() | |
| { | |
| $current_user_id = get_current_user_id(); | |
| return $current_user_id !== 1; | |
| } | |
| function restrict_theme_plugin_access() | |
| { | |
| if (is_admin() && !defined('DOING_AJAX')) { | |
| // Get current user ID | |
| $current_user_id = get_current_user_id(); | |
| // Allow only user with ID 1 | |
| if (should_restrict_user()) { | |
| // Restrict theme modifications | |
| remove_submenu_page('themes.php', 'themes.php'); // Hide Themes | |
| remove_submenu_page('themes.php', 'theme-editor.php'); // Hide Theme Editor | |
| // Restrict plugin modifications | |
| remove_menu_page('plugins.php'); // Hide Plugins | |
| remove_submenu_page('plugins.php', 'plugin-install.php'); // Hide Plugin Install | |
| remove_submenu_page('plugins.php', 'plugin-editor.php'); // Hide Plugin Editor | |
| } | |
| } | |
| } | |
| add_action('admin_menu', 'restrict_theme_plugin_access', 100); | |
| // Restrict plugin activation/deactivation | |
| function restrict_plugin_activation_deactivation($allcaps, $cap, $args) | |
| { | |
| // Check if the current capability is plugin activation or deactivation | |
| if (in_array($args[0], [ | |
| 'activate_plugins', | |
| 'deactivate_plugins', | |
| 'install_themes', | |
| 'switch_themes', | |
| 'edit_themes', | |
| 'delete_themes', | |
| 'install_plugins', | |
| 'activate_plugins', | |
| 'edit_plugins', | |
| 'delete_plugins' | |
| ])) { | |
| if (should_restrict_user()) { | |
| $allcaps[$cap[0]] = false; | |
| } | |
| } | |
| return $allcaps; | |
| } | |
| add_filter('user_has_cap', 'restrict_plugin_activation_deactivation', 10, 3); | |
| function block_admin_pages() | |
| { | |
| if (should_restrict_user()) { | |
| $restricted_pages = array( | |
| 'theme-install.php', | |
| 'themes.php', | |
| 'theme-editor.php', | |
| 'plugin-install.php', | |
| 'plugins.php', | |
| 'plugin-editor.php', | |
| 'users.php', | |
| 'user-new.php', | |
| 'profile.php' | |
| ); | |
| global $pagenow; | |
| if (in_array($pagenow, $restricted_pages)) { | |
| wp_die(__('Access Denied: You do not have permission to access this page.')); | |
| } | |
| } | |
| } | |
| add_action('admin_init', 'block_admin_pages'); |
