WP Block Admin

This is a simple plugin which blocks access to the admin interface based on a user’s capabilities (permissions).

See the plugin info on wordpress.org.

If you have any support questions, please fire them here as a comment.

Bookmark the permalink or share the shortlink.

54 Responses to WP Block Admin

  1. Scot MacDonald says:

    Callum

    I realize you don’t support this plugin but I thought I’d drop a note in the event you could see an obvious issue. I’m using block Admin with WPMU and Buddypress and I’m trying to keep users from seeing the WP backend. I’ve tried your plugin (I actually thought I had it working for awhile) but users are still getting access after logging in and trying the URL/wp-admin link.

    I’m also using a custom plugin that redirects people logging in to go to their member page in Buddypress versus the backend. Not sure if this is conflicting, but I don’t think so.

    Appreciate your thoughts…

    Thx

    • Callum says:

      @Scot MacDonald: Hey Scot, nice surname! :)

      My guess is that you’re seeing problems because your users are admins on the blog. Somebody else recently asked me about a WPMU version related to buddyPress and I modified the plugin slightly for them. It seemed to work well. I’ve added that code to the plugin but commented it out. Version 0.1.2 should appear on wp.org in an hour or two, when that does, look at line 37 and you should be able to make it work for WPMU quite easily. Just comment out line 36 and uncomment line 38.

  2. baron says:

    hi. Thanks for plugin

    perfect.

    Regards

  3. Scot says:

    Callum

    Thanks for the input. Looking forward to trying the new code.

    As it turns out though, I have my new users defaulted to Author. I’ve tried using the plugin with both new ‘members’ and new ‘blogs’ and it still isn’t working right. I’ve removed the other plugin that had the redirect and still no go. One thing I have noticed is that providing a redirect URL is definitely not working as users are always taken to the homepage regardless of what I use. All of this said, there are cache issues with Buddypress as well so maybe that’s part of the problem as well. Makes it challenging to test I must say.

    I know a lot of Buddypress users are looking for a way to hide the admin area as it is very confusing for users who have the BP profile and then find themselves behind the wall in the admin section with another profile.

    Cheers

    ps – I’m from Atlantic Canada and was in Edinburgh last year. Spent some time at The Last Drop. :)

    • Callum says:

      @Scot: I’m not sure what’s going on with buddyPress. This plugin is called as early as possible in the WP boot up, so at a guess I’d say it would work with a caching plugin (I haven’t looked into it).

      To aid debugging, try adding some exit(‘message’); calls to the plugin. That will help you to see if it’s being called.

  4. Jonah Korbes says:

    Hey Callum,

    Your plugin does exactly what I was looking for. I installed it and found that it wasn’t working for some reason. After looking at the code, I saw the problem:

    if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’)) {

    should be

    if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false) {

    Since the strpos() of ‘/wp-admin/’ can return zero, the value needs to be evaluated as not equal to false; otherwise, the user’s access level is never checked for blogs that are installed on the root of a domain.

    Thanks for the plugin!

  5. jack says:

    Thanks for Plugin. :)

  6. Malcolm says:

    Thanks for that plugin! I just installed it and it worked without having to change anything. Now I’m wondering if you’ve ever thought of removing the “Site Admin” link when it’s deactivated by WP Block Admin :-)

    • Callum says:

      @Malcolm: I think you can get rid of that via your theme. It’s part of the Meta widget I believe. Not sure if / how I’d plug into that to remove it. Interesting idea though… :-)

  7. Malcolm says:

    Thanks. If I’d get rid of that link n the theme, I’d want to condition that getting-rid-of on your plugin having deactivated the link (or redirecting it, whatever you do). Can you think of a test I could make?

  8. Malcolm says:

    Thanks! I’ll give that a try and report back.

  9. Malcolm says:

    Yep, that worked after I realized I needed to add the setup for $wpba_required_capability :-) Now the Site Admin link doesn’t appear unless it’s functional.

    Thanks for the help and for the great plugin!

    • Callum says:

      Malcolm: I’m surprised you need to setup $wpba_required_capability. Are you calling it within a function maybe? You could try making it global, that might do the trick. I’d guess that all the plugins are loaded (and so $wpba_required_capability is setup) before the theme loop starts, but I might be wrong.

  10. Malcolm says:

    It’s working perfectly now. But here’s the code if you want to take a look:


    < ?php global $wpba_required_capability;
    if (current_user_can($wpba_required_capability))
    wp_register();
    ?>

  11. Malcolm says:

    You can login to the site (http://ca-bankruptcylaw.com) if you want with the following ID and password if you want to see it in action:

    ID: eastmont1 PW: 123

  12. Caciano says:

    Hi Callum,

    Greeeeat plugin,

    But I have some issues with the upload page, every time I send a file the frame with the forms (Legend, Title, Description etc) the iframe redirect to the home. I using de WP 2.7.1 …

    The upload works nice, just this redirect is a little inconvenience…

    Any idea why this happens?

    Thanks!

    • Callum says:

      @Caciano: Aha. It sounds like that form is in /wp-admin/ even though it is used on the front end. Interesting. Try changing line 51, which is currently:
      if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {
      to this:
      if (is_admin()) {

      If that works for you, I’ll probably change the plugin to use that method.

  13. Caciano says:

    Thanks Callum, now it works perfectly!

  14. andy says:

    I admit that I have not had a chance yet to look at the code yet (busy morning) but we have been recommending this plugin to users of our forum plugin and with our latest release added the technique as an option. Are you aware that (at least using WP2.8) it disables the use of the flash uploader?

    • Callum says:

      @andy: Try changing line 51 from:
      if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {
      to:
      if (is_admin()) {

      Does that resolve the issues with 2.8? I don’t use the plugin personally so I don’t test it. Are you interested in taking over the maintenance of the code?

      If that change works for you (it worked for somebody else recently), I’ll make the change and push out a new version.

      • andy says:

        No – still no luck. Can’t really see why though unless the WP guys have screwed up the capabilities check for image uploading….

  15. Anthony says:

    Hi, is there any way I can use this for WPMU but not completely block my users? I saw your first suggestion but I do not have buddypress so I do need to give my users some access for the standard menus and for some menus that my addons created. Im not sure how the first poster had blogs defaulted to author users but my users are Admins.

  16. Anthony says:

    Ok, So I switch the commented lines and then what would be a code I would use to add in each capability to block?

    • Callum says:

      I don’t think I’ve ever replied to your question, apologies.

      If you’re still having the issue, you can edit line 18. It’s clearly marked in the code.

  17. Kate says:

    Hey there,
    Great plugin!
    I am a bit of a newbie, so don’t want to play around too much in case i break something (i have the horrible wordpress version 2.8 and it’s very tempremental, so much so in fact it won’t let me upgrade!!)
    Anyway, back to the point. Can you please let me know what code I need to put in and where to make this only redirect subscribers? Sorry I have done a bit of googling to try and find the answer to this but there doesn’t seem to be one.
    thanks again! :)

    • Callum says:

      You want to redirect subscribers but nobody else. Is that correct?

      You can edit line 18 of the plugin. Choose a new capability. Looking at this list, contributors have “edit_posts” and “delete_posts” capabilities while subscribers don’t. I’d guess either of those would work, if I’ve understood what you want correctly. Please share your solution back here for others.

  18. Dusty says:

    THANK YOU!

    I was searching for hours for a plugin like this one!

    I was just looking for the wrong thing, but thanks, now I have it, it works like a charm!

  19. Peter Ng says:

    Hrmm i’m on 2.9 and still having the same 2.8 issues with the http error upon uploading an image. Substituting is_admin does not fix this problem. Something to do with the wp_redirect?

    • Callum says:

      I’m not sure what causes the issues with the image uploader. I wrote this plugin for somebody else and haven’t used or tested it since. If you’re able to find the problem and would like to submit a patch, please do. If you’d like to take over the maintenance of the code give me a holler. :-)

  20. Sam hermans says:

    I’m having the same issue with the image uploader, looking into it as we speak and i will hopefully be able to provide a solution soon

  21. Sam hermans says:

    Okay, Here goes:
    Line 51:
    ————
    // Is this the admin interface? / ignore upload requests
    if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false && strpos(strtolower($_SERVER['REQUEST_URI']),’async-upload.php’) == false) {
    ————

    Strpos may not be the way to go here, but i’m going with the flow …

    Sam Hermans
    Http://www.greeenfudge.org

  22. Clayton Narcis says:

    This breaks any ajax calls to admin-ajax.php. Any workaround?

    And if the user logins in, they will still be able to access by placing the entire url such as myblog.com/wp-admin/edit.php

    • Callum says:

      I’m sending you a slightly modified version now. Hopefully it allows requests to admin-ajax.php. Can you test and report back?

      If the user logs in and tries to access an admin url directly, the plugin should redirect them. Are you seeing a problem with this?

      • Clayton Narcis says:

        Yup, it works.

        As for the mention problem edit.php, after flushing the cookie and browser cache, it was working already :D

        Btw,
        whenever i open your file, something happens to the encoding, nothing big. Here’s a sample

        if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false

        Note the ’

        • Callum says:

          Great, thanks for the confirmation. I think that’s because of a bug I introduced in 0.2.1. I’ve just pushed out version 0.2.2, the code is in SVN, it should hit wordpress.org shortly. I recommend immediate upgrade from 0.2.1 because of the bug. The issue was because I replaced quotes with backticks which produced an error about dividing by zero on some servers.

  23. Kimmo says:

    I started using WP Block Admin only yesterday. Today I was prompted to upgrade to version 0.2.1 I did, but this creates havoc on my blog.

    I get the following messages on the admin area and the site:

    Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52

    Warning: Cannot modify header information – headers already sent by (output started at /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php:52) in /var/www/fs2/24/gradutak/public_html/wp-includes/pluggable.php on line 868

    Is there anything that could be done?

    • Callum says:

      Apologies for the error. I’m sending you a slightly modified version of the plugin now. I think the quotes are wrong on line 52. If you can test and report back, I’ll push out the update as soon as possible.

      • Kimmo says:

        Hi Callum! Sry, but it didn’t help. I get the same error:

        Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52

        • Callum says:

          Apologies, I didn’t actually make that fix before I sent you the file. I’m sending a new version now, hopefully this one works. I just tested on my server and it has cleared up the error for me.

          • Kimmo says:

            Yes, it seems to be working now! Thank you very much for your efforts!

            I’m not familiar with php, so that leaves me a bit clueless in matters such as these. But it’s great there are more knowledgeable people around! Thanks!

  24. chorng says:

    thanks for the plugin ! work like a charm

  25. john says:

    hey callun

    the plugin works great but only if a user is logged in. how can i redirect non-logged in users from accessing wp-admin or wp-login.php?

    • Callum says:

      If you direct non-logged in users from wp-login.php and wp-admin/ then you’ll never be able to login once you are logged out. That would completely break the admin unless you’re using some completely different login method. If you are, I would suggest replacing the contents of wp-login.php with something like . That will redirect all attempts to access wp-login.php to another page. However, you can’t easily redirect everything in wp-admin/ because some files are necessary for the operation of WordPress.

  26. john says:

    I guess you’re right.

    But,

    maybe the plugin could set up a new page that will handle just the redirection? For example, if the user is not logged in, then we show a special login page on which he can input his data, then after the data is recognized it’s sent to wp-login.php and redirection doesn’t occur. Well, at least that’s something I thought of.

    I think that this special login page doesn’t really have to be that complicated. I think we need to find a way to show wp-login.php or /wp-admin/ (if the user is not logged in) only if called from that special page.

    What do you think?

    • Callum says:

      That is possible. It might also be possible to simply rename wp-login.php with one or two clever tricks.

      Personally, I wrote this plugin for hire years ago. I don’t use it personally and don’t really support it. I don’t have any desire to write new code or expand functionality. I’ve fixed one or two issues as they arose, made slight improvements to the plugin, but I’m not open to major changes. You may be able to find somebody on RentaCoder.com to add the functionality you’re looking for. That’s where I got my start in professional WordPress stuff, there seemed to be a lot of other developers familiar with WordPress on there.

  27. Pingback: Classroom Technology Thoughts (Twitter Weekly Updates) for 2010-06-07 | blog.classroomteacher.ca

  28. Bandonrandon says:

    Hey Callum,

    I made some changes to your plugin. I noticed that users were still able to visit wp-login.php even without the proper permissions. I made is to they couldn’t visit either wp-admin or wp-login.php which made an endless loop where you couldn’t get to the login page (oops) I went ahead and wrapped the whole thing in the “is_user_logged_in()” tag. Now, logged in users can’t visit wp-login.php or wp-admin you can see my changes here: http://pastebin.com/xq6x26fn

    Feel free to take them or leave them.

    • Callum says:

      As I read your code, only users who are logged in will be redirected, anyone else who tries to access the admin will be sent to the login page. I’m not sure if that’s sensible or not.

      The only other change I see in your code is that users who are already logged in, cannot access wp-login.php. That means that they can’t log out because wp-login.php?action=logout is the url to log out.

      Thanks for taking the time to share your changes, I really appreciate it. Are you familiar with the diff and patch tools? They’re a great way to share changes like this. At this time I will reject your changes because I don’t see any benefit and I see some downsides. However, maybe I’ve misread your code, so I’m open to better understanding what you intended.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>