Wordpress Question posted in
The official Wordpress documentation can be found here.

Prevent access to Admin menu items at WordPress backend

I would like to hide and restrict access to some Admin menu items at WordPress backend for all users except Administrator who is the site owner.

  1. Thos Admin menu items have the followings URLs:

     https://www.mysite1.com/wp-admin/edit.php
 https://www.mysite1.com/wp-admin/tools.php
 https://www.mysite1.com/wp-admin/options-general.php
 https://www.mysite1.com/wp-admin/admin.php?page=wpcf7
 https://www.mysite1.com/wp-admin/edit.php?post_type=acf-field-group
 https://www.mysite1.com/wp-admin/admin.php?page=menu-image-options
 https://www.mysite1.com/wp-admin/admin.php?page=revslider

To hide those menu items from those who are not Administrator, I use the following codes in functions.php:

    add_action( 'admin_init', 'hide_admin_menu_items' );
    function hide_admin_menu_items() {
      $current_user = wp_get_current_user();
      if ($current_user->ID != 1) {
        remove_menu_page('edit.php');                 // Posts      
        remove_menu_page('wpcf7');                    // Contact Form 7
        remove_menu_page('tools.php');                // Tools
        remove_menu_page('options-general.php');      // Settings
        remove_menu_page('edit.php?post_type=acf-field-group');          // ACF plugin
        remove_menu_page('menu-image-options');       // Menu image plugin
        remove_menu_page('revslider');               // Revslider plugin
      }
    }

The above codes work very well as intended.

  1. To prevent access to the above pages or URLs, here are codes in functions.php:

     // Prevent access to Admin menu items
 add_action( 'load-edit.php', 'prevent_admin_access' );                          // Posts
 add_action( 'load-wpcf7', 'prevent_admin_access' );                            // Contact form 7 plugin - Not working
 add_action( 'load-tools.php', 'prevent_admin_access' );                        // Tools
 add_action( 'load-options-general.php', 'prevent_admin_access' );             // Settings
 add_action( 'load-acf-field-group', 'prevent_admin_access' );                 // ACF plugin
 add_action( 'load-menu-image-options', 'prevent_admin_access' );         // Image menu plugin - Not working
 add_action( 'load-revslider', 'prevent_admin_access' );                  // Rev slider plugin - Not working

 function prevent_admin_access() {
  // $current_user = wp_get_current_user();
  // if ($current_user->ID != 1) {
     // dump and exit user id
     var_dump($user_ID); exit;

     if ( $user_ID != 1 ) {
         wp_die("You are not pwermitted to access this page!");
         exit();
     }
 }

The above codes dont work for some plugins; they dont restrict access to those who are not Administrator. I use this guide as a reference:

https://wordpress.stackexchange.com/questions/113322/remove-menu-items-from-admin-page-and-limit-capabilities

What is the correct way of coding, for example,

    Page/URL: https://www.mysite1.com/wp-admin/admin.php?page=wpcf7

I use wpcf7 as the page for Contact form 7 plugin which does not work:

    add_action( 'load-wpcf7', 'prevent_admin_access' );

What is the correct page for Contact form 7 plugin should be used in the above codes?

Very appreciate any help.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    FIXED:

    My issue has been fixed by joshmoto. Here is fully working codes.

    1. Hide Admin menu items from users who are not Admininstrator of Wordpress:

         add_action( 'admin_init', 'hide_admin_menu_items' );
       function hide_admin_menu_items() {
         $current_user = wp_get_current_user();
         if ($current_user->ID != 1) {
           remove_menu_page('edit.php');                 // Posts      
           remove_menu_page('wpcf7');                    // Contact Form 7
           remove_menu_page('tools.php');                // Tools
           remove_menu_page('options-general.php');      // Settings
           remove_menu_page('edit.php?post_type=acf-field-group');          // ACF plugin
           remove_menu_page('menu-image-options');       // Menu image plugin
           remove_menu_page('revslider');               // Revslider plugin
         }
       }

    2. Prevent access to certain Admin pages if users are not Administrators:

         // add action to admin init to dedicate access
   add_action('admin_init', 'prevent_admin_access');

   /**
    * if $user_id is not 1 then hide specific admin menu items
    * and prevent access to specific admin php pages
    * @return void
    */
   function prevent_admin_access() {

       // global $user_ID var
       global $user_ID;

       // if $user_ID is not 1
       if ($user_ID != 1) {

           // remove posts from wp admin menu
           remove_menu_page('edit.php');

           // global $pagenow
           global $pagenow;

           // prevent admin access to specific php pages (tools, options-general, admin, edit)
           // switch case for $pagenow var
           switch ($pagenow)
           {
               case 'tools.php':
                   // if $pagenow is tools.php die and exit message
                   wp_die('You are not allowed to access the Tools page.');
                   break;

               case 'options-general.php':
                   // if $pagenow is options-general.php die and exit message
                   wp_die('You are not allowed to access the Options General page.');
                   break;

               case 'admin.php':
                   // if $pagenow is admin.php...

                   // get $page url var param from admin.php page
                   $page = isset($_GET['page']) ? $_GET['page'] : false;

                   // switch case $page
                   switch ($page)
                   {
                       case 'wpcf7':
                           // if $page is wpcf7 die and exit message
                           wp_die('You are not allowed to access the Contact Form 7 page.');
                           break;

                       case 'menu-image-options':
                           // if $post_type is menu-image-options die and exit message
                           wp_die('You are not allowed to access the Menu Image Options page.');
                           break;

                       case 'revslider':
                           // if $post_type is revslider die and exit message
                           wp_die('You are not allowed to access the Revolution Slider page.');
                           break;    

                       default:
                           // return if no $page match
                           return;
                   }

                   // break out when done if ever necessary
                   break;

               case 'edit.php':
                   // if $pagenow is edit.php...

                   // get $post_type url var param from edit.php page
                   $post_type = isset($_GET['post_type']) ? $_GET['post_type'] : false;

                   // switch case $post_type
                   switch ($post_type)
                   {
                       case 'acf-field-group':
                           // if $post_type is acf-field-group die and exit message
                           wp_die('You are not allowed to access the ACF Field Group page.');
                           break;

                       default:
                           // return if no $post_type match
                           return;
                   }

                   // break out when done if ever necessary
                   break;

               default:
                   // return if no $pagenow match
                   return;

           }

       }

   }

    if you have more restricted Admin pages, just add more case ...

    Many thanks


  2. 0

    Here is an updated answer below, please read comments below so you know what is happening…

    You will notice in my code comments which cases that I have tested and which cases I have not..

    I don’t have have plugins wpcf7, menu-image-options and revslider installed so it’s hard for predict how these plugin edit screens work.

    Hopefully the logic of how I’ve presented my php code below might give you a better insight in how to accomplish your problem via a single function.

    If you still having problems, please get back to me.

    Updated code below…

    // add action to admin init to dedicate access
add_action('admin_init', 'prevent_admin_access');

/**
 * if $user_id is not 1 then hide specific admin menu items
 * and prevent access to specific admin php pages
 * @return void
 */
function prevent_admin_access() {

    // global $user_ID var
    global $user_ID;

    // if $user_ID is not 1
    if ($user_ID != 1) {

        // remove posts from wp admin menu
        remove_menu_page('edit.php');

        // global $pagenow
        global $pagenow;
        
        // prevent admin access to specific php pages (tools, options-general, admin, edit)
        // switch case for $pagenow var
        switch ($pagenow)
        {
            case 'tools.php':
                // if $pagenow is tools.php die and exit message
                wp_die('You are not allowed to access the Tools page.');
                break;

            case 'options-general.php':
                // if $pagenow is options-general.php die and exit message
                wp_die('You are not allowed to access the Options General page.');
                break;

            case 'admin.php':
                // if $pagenow is admin.php...

                // get $page url var param from admin.php page
                $page = isset($_GET['page']) ? $_GET['page'] : false;

                // switch case $page
                switch ($page)
                {
                    case 'wpcf7':
                        // if $page is wpcf7 die and exit message
                        wp_die('You are not allowed to access the Contact Form 7 page.');
                        break;

                    case 'menu-image-options':
                        // if $post_type is menu-image-options die and exit message
                        wp_die('You are not allowed to access the Menu Image Options page.');
                        break;

                    case 'revslider':
                        // if $post_type is revslider die and exit message
                        wp_die('You are not allowed to access the Revolution Slider page.');
                        break;    

                    default:
                        // return if no $page match
                        return;
                }

                // break out when done if ever necessary
                break;

            case 'edit.php':
                // if $pagenow is edit.php...

                // get $post_type url var param from edit.php page
                $post_type = isset($_GET['post_type']) ? $_GET['post_type'] : false;

                // switch case $post_type
                switch ($post_type)
                {
                    case 'acf-field-group':
                        // if $post_type is acf-field-group die and exit message
                        wp_die('You are not allowed to access the ACF Field Group page.');
                        break;

                    default:
                        // return if no $post_type match
                        return;
                }

                // break out when done if ever necessary
                break;

            default:
                // return if no $pagenow match
                return;

        }

    }

}

    Anyway, hope this helps you out!

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search