This is a simple plugin which blocks access to the admin interface based on a user’s capabilities (permissions).
See the plugin info on wordpress.org.
If you have any support questions, please fire them here as a comment.
Links
Me
Tags
Alternative MBA Amazon Amazon-S3 Australia Bangkok California Callum Callum-Macdonald cape town CouchSurfing CouchSurfing.com eBay Facebook Fedora Fedora-7 Google Guadalajara Guatemala Hong-Kong las vegas Linux mexico Montreal MySpace Open-Source OpenCouchSurfing rsync.net Seth Godin Skype SmartHippo Smile snow South Africa Spam Sydney Thailand Toronto twitter ubuntu usa Vancouver WordPress WordPress-Plugins WP-Mail-SMTP YouTube
Callum
I realize you don’t support this plugin but I thought I’d drop a note in the event you could see an obvious issue. I’m using block Admin with WPMU and Buddypress and I’m trying to keep users from seeing the WP backend. I’ve tried your plugin (I actually thought I had it working for awhile) but users are still getting access after logging in and trying the URL/wp-admin link.
I’m also using a custom plugin that redirects people logging in to go to their member page in Buddypress versus the backend. Not sure if this is conflicting, but I don’t think so.
Appreciate your thoughts…
Thx
@Scot MacDonald: Hey Scot, nice surname!
My guess is that you’re seeing problems because your users are admins on the blog. Somebody else recently asked me about a WPMU version related to buddyPress and I modified the plugin slightly for them. It seemed to work well. I’ve added that code to the plugin but commented it out. Version 0.1.2 should appear on wp.org in an hour or two, when that does, look at line 37 and you should be able to make it work for WPMU quite easily. Just comment out line 36 and uncomment line 38.
hi. Thanks for plugin
perfect.
Regards
Callum
Thanks for the input. Looking forward to trying the new code.
As it turns out though, I have my new users defaulted to Author. I’ve tried using the plugin with both new ‘members’ and new ‘blogs’ and it still isn’t working right. I’ve removed the other plugin that had the redirect and still no go. One thing I have noticed is that providing a redirect URL is definitely not working as users are always taken to the homepage regardless of what I use. All of this said, there are cache issues with Buddypress as well so maybe that’s part of the problem as well. Makes it challenging to test I must say.
I know a lot of Buddypress users are looking for a way to hide the admin area as it is very confusing for users who have the BP profile and then find themselves behind the wall in the admin section with another profile.
Cheers
ps – I’m from Atlantic Canada and was in Edinburgh last year. Spent some time at The Last Drop.
@Scot: I’m not sure what’s going on with buddyPress. This plugin is called as early as possible in the WP boot up, so at a guess I’d say it would work with a caching plugin (I haven’t looked into it).
To aid debugging, try adding some exit(‘message’); calls to the plugin. That will help you to see if it’s being called.
Hey Callum,
Your plugin does exactly what I was looking for. I installed it and found that it wasn’t working for some reason. After looking at the code, I saw the problem:
if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’)) {
should be
if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false) {
Since the strpos() of ‘/wp-admin/’ can return zero, the value needs to be evaluated as not equal to false; otherwise, the user’s access level is never checked for blogs that are installed on the root of a domain.
Thanks for the plugin!
@Jonah Korbes: You are absolutely correct. I routinely make that mistake with strpos. I have added your fix and a note crediting you. Thanks for the fix.
Thanks for Plugin.
Thanks for that plugin! I just installed it and it worked without having to change anything. Now I’m wondering if you’ve ever thought of removing the “Site Admin” link when it’s deactivated by WP Block Admin
@Malcolm: I think you can get rid of that via your theme. It’s part of the Meta widget I believe. Not sure if / how I’d plug into that to remove it. Interesting idea though…
Thanks. If I’d get rid of that link n the theme, I’d want to condition that getting-rid-of on your plugin having deactivated the link (or redirecting it, whatever you do). Can you think of a test I could make?
@Malcolm: You could use the same test as in the plugin itself.
if (!current_user_can($wpba_required_capability))Thanks! I’ll give that a try and report back.
Yep, that worked after I realized I needed to add the setup for $wpba_required_capability
Now the Site Admin link doesn’t appear unless it’s functional.
Thanks for the help and for the great plugin!
Malcolm: I’m surprised you need to setup
$wpba_required_capability. Are you calling it within a function maybe? You could try making it global, that might do the trick. I’d guess that all the plugins are loaded (and so$wpba_required_capabilityis setup) before the theme loop starts, but I might be wrong.It’s working perfectly now. But here’s the code if you want to take a look:
< ?php global $wpba_required_capability;
if (current_user_can($wpba_required_capability))
wp_register();
?>
You can login to the site (http://ca-bankruptcylaw.com) if you want with the following ID and password if you want to see it in action:
ID: eastmont1 PW: 123
Hi Callum,
Greeeeat plugin,
But I have some issues with the upload page, every time I send a file the frame with the forms (Legend, Title, Description etc) the iframe redirect to the home. I using de WP 2.7.1 …
The upload works nice, just this redirect is a little inconvenience…
Any idea why this happens?
Thanks!
@Caciano: Aha. It sounds like that form is in /wp-admin/ even though it is used on the front end. Interesting. Try changing line 51, which is currently:
if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {to this:
if (is_admin()) {If that works for you, I’ll probably change the plugin to use that method.
Thanks Callum, now it works perfectly!
I admit that I have not had a chance yet to look at the code yet (busy morning) but we have been recommending this plugin to users of our forum plugin and with our latest release added the technique as an option. Are you aware that (at least using WP2.8) it disables the use of the flash uploader?
@andy: Try changing line 51 from:
if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {to:
if (is_admin()) {Does that resolve the issues with 2.8? I don’t use the plugin personally so I don’t test it. Are you interested in taking over the maintenance of the code?
If that change works for you (it worked for somebody else recently), I’ll make the change and push out a new version.
No – still no luck. Can’t really see why though unless the WP guys have screwed up the capabilities check for image uploading….
Hi, is there any way I can use this for WPMU but not completely block my users? I saw your first suggestion but I do not have buddypress so I do need to give my users some access for the standard menus and for some menus that my addons created. Im not sure how the first poster had blogs defaulted to author users but my users are Admins.
You can use the plugin as a starting point then modify it to your own requirements.
Ok, So I switch the commented lines and then what would be a code I would use to add in each capability to block?
I don’t think I’ve ever replied to your question, apologies.
If you’re still having the issue, you can edit line 18. It’s clearly marked in the code.
Hey there,
Great plugin!
I am a bit of a newbie, so don’t want to play around too much in case i break something (i have the horrible wordpress version 2.8 and it’s very tempremental, so much so in fact it won’t let me upgrade!!)
Anyway, back to the point. Can you please let me know what code I need to put in and where to make this only redirect subscribers? Sorry I have done a bit of googling to try and find the answer to this but there doesn’t seem to be one.
thanks again!
You want to redirect subscribers but nobody else. Is that correct?
You can edit line 18 of the plugin. Choose a new capability. Looking at this list, contributors have “edit_posts” and “delete_posts” capabilities while subscribers don’t. I’d guess either of those would work, if I’ve understood what you want correctly. Please share your solution back here for others.
THANK YOU!
I was searching for hours for a plugin like this one!
I was just looking for the wrong thing, but thanks, now I have it, it works like a charm!
Hrmm i’m on 2.9 and still having the same 2.8 issues with the http error upon uploading an image. Substituting is_admin does not fix this problem. Something to do with the wp_redirect?
I’m not sure what causes the issues with the image uploader. I wrote this plugin for somebody else and haven’t used or tested it since. If you’re able to find the problem and would like to submit a patch, please do. If you’d like to take over the maintenance of the code give me a holler.
I’m having the same issue with the image uploader, looking into it as we speak and i will hopefully be able to provide a solution soon
Okay, Here goes:
Line 51:
————
// Is this the admin interface? / ignore upload requests
if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false && strpos(strtolower($_SERVER['REQUEST_URI']),’async-upload.php’) == false) {
————
Strpos may not be the way to go here, but i’m going with the flow …
Sam Hermans
Http://www.greeenfudge.org
Awesome, thanks for the fix Sam. I’ve committed it, I’ll notify Peter and see if it fixes his issue.
awesome, new plugin seems to work great even in wordpress 3.0
This breaks any ajax calls to admin-ajax.php. Any workaround?
And if the user logins in, they will still be able to access by placing the entire url such as myblog.com/wp-admin/edit.php
I’m sending you a slightly modified version now. Hopefully it allows requests to admin-ajax.php. Can you test and report back?
If the user logs in and tries to access an admin url directly, the plugin should redirect them. Are you seeing a problem with this?
Yup, it works.
As for the mention problem edit.php, after flushing the cookie and browser cache, it was working already
Btw,
whenever i open your file, something happens to the encoding, nothing big. Here’s a sample
if (strpos(strtolower($_SERVER['REQUEST_URI']),’/wp-admin/’) !== false
Note the ’
Great, thanks for the confirmation. I think that’s because of a bug I introduced in 0.2.1. I’ve just pushed out version 0.2.2, the code is in SVN, it should hit wordpress.org shortly. I recommend immediate upgrade from 0.2.1 because of the bug. The issue was because I replaced quotes with backticks which produced an error about dividing by zero on some servers.
No worries. Thanks!
I started using WP Block Admin only yesterday. Today I was prompted to upgrade to version 0.2.1 I did, but this creates havoc on my blog.
I get the following messages on the admin area and the site:
Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52
Warning: Cannot modify header information – headers already sent by (output started at /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php:52) in /var/www/fs2/24/gradutak/public_html/wp-includes/pluggable.php on line 868
Is there anything that could be done?
Apologies for the error. I’m sending you a slightly modified version of the plugin now. I think the quotes are wrong on line 52. If you can test and report back, I’ll push out the update as soon as possible.
Hi Callum! Sry, but it didn’t help. I get the same error:
Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52
Apologies, I didn’t actually make that fix before I sent you the file. I’m sending a new version now, hopefully this one works. I just tested on my server and it has cleared up the error for me.
Yes, it seems to be working now! Thank you very much for your efforts!
I’m not familiar with php, so that leaves me a bit clueless in matters such as these. But it’s great there are more knowledgeable people around! Thanks!
thanks for the plugin ! work like a charm
hey callun
the plugin works great but only if a user is logged in. how can i redirect non-logged in users from accessing wp-admin or wp-login.php?
If you direct non-logged in users from wp-login.php and wp-admin/ then you’ll never be able to login once you are logged out. That would completely break the admin unless you’re using some completely different login method. If you are, I would suggest replacing the contents of wp-login.php with something like
. That will redirect all attempts to access wp-login.php to another page. However, you can’t easily redirect everything in wp-admin/ because some files are necessary for the operation of WordPress.I guess you’re right.
But,
maybe the plugin could set up a new page that will handle just the redirection? For example, if the user is not logged in, then we show a special login page on which he can input his data, then after the data is recognized it’s sent to wp-login.php and redirection doesn’t occur. Well, at least that’s something I thought of.
I think that this special login page doesn’t really have to be that complicated. I think we need to find a way to show wp-login.php or /wp-admin/ (if the user is not logged in) only if called from that special page.
What do you think?
That is possible. It might also be possible to simply rename wp-login.php with one or two clever tricks.
Personally, I wrote this plugin for hire years ago. I don’t use it personally and don’t really support it. I don’t have any desire to write new code or expand functionality. I’ve fixed one or two issues as they arose, made slight improvements to the plugin, but I’m not open to major changes. You may be able to find somebody on RentaCoder.com to add the functionality you’re looking for. That’s where I got my start in professional WordPress stuff, there seemed to be a lot of other developers familiar with WordPress on there.
Pingback: Classroom Technology Thoughts (Twitter Weekly Updates) for 2010-06-07 | blog.classroomteacher.ca
Hey Callum,
I made some changes to your plugin. I noticed that users were still able to visit wp-login.php even without the proper permissions. I made is to they couldn’t visit either wp-admin or wp-login.php which made an endless loop where you couldn’t get to the login page (oops) I went ahead and wrapped the whole thing in the “is_user_logged_in()” tag. Now, logged in users can’t visit wp-login.php or wp-admin you can see my changes here: http://pastebin.com/xq6x26fn
Feel free to take them or leave them.
As I read your code, only users who are logged in will be redirected, anyone else who tries to access the admin will be sent to the login page. I’m not sure if that’s sensible or not.
The only other change I see in your code is that users who are already logged in, cannot access wp-login.php. That means that they can’t log out because wp-login.php?action=logout is the url to log out.
Thanks for taking the time to share your changes, I really appreciate it. Are you familiar with the diff and patch tools? They’re a great way to share changes like this. At this time I will reject your changes because I don’t see any benefit and I see some downsides. However, maybe I’ve misread your code, so I’m open to better understanding what you intended.