Access Control for WP Users
When building certain types of WordPress sites, one might come across the need to hide the wp admin bar and the admin area all together.
Let’s say, you have a site that allows the users to login and make comments or have any other interactivity while logged in.
By default, when a user logs in, the admin bar will be displayed which allows them to access the admin area /wp-admin. Further, even if the admin bar is disabled, the user can still access to the admin area if they type in the URL.
It’s worth pointing out that admin area access and the menu options that are available are dependent on the users assigned role editor, contributor, subscriber. By default, the admin area for non-admins will be restricted to the capability level of their role, only admins can do critical things like manage options, install plugins & themes. But, disabling access can prevent confusion for your users and keep them focused in the areas where you want them.
In addition, once a user logs in or logs out, one usually wants to control which page the user gets redirected to.
Here are some quick snippets that will allow you to control these areas, using redirection when users attempt to access the admin area.
These can be placed directly in your functions.php file of your theme. Alternatively, the full code at the bottom of the article can be used as a standalone plugin. Which you can download and install using the normal process.
Note: In the final version of the code, all functions are wrapped in a negative existence check using the php function functions_exists with the ! preceding it. This will prevent collisions if in the event there is already a function with the same name, you can prefix the function names with anything you want by replacing the acaa_ in the name with something of your choosing.
Admin Bar Access Control
This snippet defines a function which uses the current_user_can function to check the capabilities of the current user. Which in this case we are passing in the manage_options string, which is assigned to users with the Administrator role. It checks the users credentials for the manage_options capability, and since we’re using the ! which indicates Not , it will return a true value if the user does not have the manage_options capability. This will then execute the function show_admin_bar passing in a boolean argument of false, and sets the admin bar to not be displayed. This is function is called using the filter hook immediately beneath it.
function acaa_admin_bar_control() {
if ( ! current_user_can( 'manage_options' ) ) {
show_admin_bar( false );
}
}
add_filter( 'show_admin_bar', 'acaa_admin_bar_control' );
Admin Area Access Control
One way of restricting access to the admin area is by checking the user capabilities, using the same method in the previous snippet, then using a built-in redirect function wp_safe_redirect and passing in the home_url function as an argument. We also add the is_admin function to the condition. It’s worth mentioning that the name of this function has been the source of confusion, as it is misunderstood to be a check of the user role, but this is not the case. This function simply returns true if the user is trying to access the admin area. It does NOT check to see if the user’s role is administrator. In addition, we include another set of conditions to ensure that an ajax operation is not being executed.
If the conditions are met, which in this case is: if the user is try to access the admin area, is not an administrator and an AJAX request isn’t called, then the code executes and redirects to the home page, as called by the home_url function.
Note: If you would like to direct the user to a specific page, you can pass in an end point as an argument of the home_url function. For example, to redirect them to the shop page you can use home_url( '/shop' ) or if you have a about page home_url( '/about' ) .
function acaa_restrict_admin() {
if ( is_admin() &&
! current_user_can( 'manage_options' ) &&
! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
wp_safe_redirect( home_url() );
exit;
}
}
add_action( 'admin_init', 'acaa_restrict_admin' );
Login/Logout Redirection
Finally, when users login or logout you may want to direct them back to the home page, rather than back to the login screen, which is the default. To do so we’ll use a filter hook to target the built-in login_redirect and logout_redirect functions and overwrite them with our own.
Again you see the home_url function which can be used in the same manner mentioned previously to redirect to a specific page.
function aaca_auth_redirect( $url ) {
return home_url();
}
add_filter( 'login_redirect', 'aaca_auth_redirect' );
add_filter( 'logout_redirect', 'aaca_auth_redirect' );
The Entire Code
note: you can download the zip by visiting the github page, or just copy the snippets you would like into your functions.php file of your child theme.