WP Block Admin

This is a simple plugin which blocks access to the admin interface based on a user’s capabilities (permissions).

See the plugin info on wordpress.org.

If you have any support questions, please fire them here as a comment.

95 thoughts on “WP Block Admin”

  1. Callum

    I realize you don’t support this plugin but I thought I’d drop a note in the event you could see an obvious issue. I’m using block Admin with WPMU and Buddypress and I’m trying to keep users from seeing the WP backend. I’ve tried your plugin (I actually thought I had it working for awhile) but users are still getting access after logging in and trying the URL/wp-admin link.

    I’m also using a custom plugin that redirects people logging in to go to their member page in Buddypress versus the backend. Not sure if this is conflicting, but I don’t think so.

    Appreciate your thoughts…

    Thx

    1. @Scot MacDonald: Hey Scot, nice surname! πŸ™‚

      My guess is that you’re seeing problems because your users are admins on the blog. Somebody else recently asked me about a WPMU version related to buddyPress and I modified the plugin slightly for them. It seemed to work well. I’ve added that code to the plugin but commented it out. Version 0.1.2 should appear on wp.org in an hour or two, when that does, look at line 37 and you should be able to make it work for WPMU quite easily. Just comment out line 36 and uncomment line 38.

  2. Callum

    Thanks for the input. Looking forward to trying the new code.

    As it turns out though, I have my new users defaulted to Author. I’ve tried using the plugin with both new ‘members’ and new ‘blogs’ and it still isn’t working right. I’ve removed the other plugin that had the redirect and still no go. One thing I have noticed is that providing a redirect URL is definitely not working as users are always taken to the homepage regardless of what I use. All of this said, there are cache issues with Buddypress as well so maybe that’s part of the problem as well. Makes it challenging to test I must say.

    I know a lot of Buddypress users are looking for a way to hide the admin area as it is very confusing for users who have the BP profile and then find themselves behind the wall in the admin section with another profile.

    Cheers

    ps – I’m from Atlantic Canada and was in Edinburgh last year. Spent some time at The Last Drop. πŸ™‚

    1. @Scot: I’m not sure what’s going on with buddyPress. This plugin is called as early as possible in the WP boot up, so at a guess I’d say it would work with a caching plugin (I haven’t looked into it).

      To aid debugging, try adding some exit(‘message’); calls to the plugin. That will help you to see if it’s being called.

  3. Hey Callum,

    Your plugin does exactly what I was looking for. I installed it and found that it wasn’t working for some reason. After looking at the code, I saw the problem:

    if (strpos(strtolower($_SERVER[‘REQUEST_URI’]),’/wp-admin/’)) {

    should be

    if (strpos(strtolower($_SERVER[‘REQUEST_URI’]),’/wp-admin/’) !== false) {

    Since the strpos() of ‘/wp-admin/’ can return zero, the value needs to be evaluated as not equal to false; otherwise, the user’s access level is never checked for blogs that are installed on the root of a domain.

    Thanks for the plugin!

  4. Thanks for that plugin! I just installed it and it worked without having to change anything. Now I’m wondering if you’ve ever thought of removing the “Site Admin” link when it’s deactivated by WP Block Admin πŸ™‚

    1. @Malcolm: I think you can get rid of that via your theme. It’s part of the Meta widget I believe. Not sure if / how I’d plug into that to remove it. Interesting idea though… πŸ™‚

  5. Thanks. If I’d get rid of that link n the theme, I’d want to condition that getting-rid-of on your plugin having deactivated the link (or redirecting it, whatever you do). Can you think of a test I could make?

  6. Yep, that worked after I realized I needed to add the setup for $wpba_required_capability πŸ™‚ Now the Site Admin link doesn’t appear unless it’s functional.

    Thanks for the help and for the great plugin!

    1. Malcolm: I’m surprised you need to setup $wpba_required_capability. Are you calling it within a function maybe? You could try making it global, that might do the trick. I’d guess that all the plugins are loaded (and so $wpba_required_capability is setup) before the theme loop starts, but I might be wrong.

  7. It’s working perfectly now. But here’s the code if you want to take a look:


    < ?php global $wpba_required_capability; if (current_user_can($wpba_required_capability)) wp_register(); ?>

  8. Hi Callum,

    Greeeeat plugin,

    But I have some issues with the upload page, every time I send a file the frame with the forms (Legend, Title, Description etc) the iframe redirect to the home. I using de WP 2.7.1 …

    The upload works nice, just this redirect is a little inconvenience…

    Any idea why this happens?

    Thanks!

    1. @Caciano: Aha. It sounds like that form is in /wp-admin/ even though it is used on the front end. Interesting. Try changing line 51, which is currently:
      if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {
      to this:
      if (is_admin()) {

      If that works for you, I’ll probably change the plugin to use that method.

  9. I admit that I have not had a chance yet to look at the code yet (busy morning) but we have been recommending this plugin to users of our forum plugin and with our latest release added the technique as an option. Are you aware that (at least using WP2.8) it disables the use of the flash uploader?

    1. @andy: Try changing line 51 from:
      if (strpos(strtolower($_SERVER['REQUEST_URI']),'/wp-admin/') !== false) {
      to:
      if (is_admin()) {

      Does that resolve the issues with 2.8? I don’t use the plugin personally so I don’t test it. Are you interested in taking over the maintenance of the code?

      If that change works for you (it worked for somebody else recently), I’ll make the change and push out a new version.

      1. No – still no luck. Can’t really see why though unless the WP guys have screwed up the capabilities check for image uploading….

  10. Hi, is there any way I can use this for WPMU but not completely block my users? I saw your first suggestion but I do not have buddypress so I do need to give my users some access for the standard menus and for some menus that my addons created. Im not sure how the first poster had blogs defaulted to author users but my users are Admins.

  11. Ok, So I switch the commented lines and then what would be a code I would use to add in each capability to block?

    1. I don’t think I’ve ever replied to your question, apologies.

      If you’re still having the issue, you can edit line 18. It’s clearly marked in the code.

  12. Hey there,
    Great plugin!
    I am a bit of a newbie, so don’t want to play around too much in case i break something (i have the horrible wordpress version 2.8 and it’s very tempremental, so much so in fact it won’t let me upgrade!!)
    Anyway, back to the point. Can you please let me know what code I need to put in and where to make this only redirect subscribers? Sorry I have done a bit of googling to try and find the answer to this but there doesn’t seem to be one.
    thanks again! πŸ™‚

    1. You want to redirect subscribers but nobody else. Is that correct?

      You can edit line 18 of the plugin. Choose a new capability. Looking at this list, contributors have “edit_posts” and “delete_posts” capabilities while subscribers don’t. I’d guess either of those would work, if I’ve understood what you want correctly. Please share your solution back here for others.

  13. THANK YOU!

    I was searching for hours for a plugin like this one!

    I was just looking for the wrong thing, but thanks, now I have it, it works like a charm!

  14. Hrmm i’m on 2.9 and still having the same 2.8 issues with the http error upon uploading an image. Substituting is_admin does not fix this problem. Something to do with the wp_redirect?

    1. I’m not sure what causes the issues with the image uploader. I wrote this plugin for somebody else and haven’t used or tested it since. If you’re able to find the problem and would like to submit a patch, please do. If you’d like to take over the maintenance of the code give me a holler. πŸ™‚

  15. Okay, Here goes:
    Line 51:
    ————
    // Is this the admin interface? / ignore upload requests
    if (strpos(strtolower($_SERVER[‘REQUEST_URI’]),’/wp-admin/’) !== false && strpos(strtolower($_SERVER[‘REQUEST_URI’]),’async-upload.php’) == false) {
    ————

    Strpos may not be the way to go here, but i’m going with the flow …

    Sam Hermans
    http://www.greeenfudge.org

  16. This breaks any ajax calls to admin-ajax.php. Any workaround?

    And if the user logins in, they will still be able to access by placing the entire url such as myblog.com/wp-admin/edit.php

    1. I’m sending you a slightly modified version now. Hopefully it allows requests to admin-ajax.php. Can you test and report back?

      If the user logs in and tries to access an admin url directly, the plugin should redirect them. Are you seeing a problem with this?

      1. Yup, it works.

        As for the mention problem edit.php, after flushing the cookie and browser cache, it was working already πŸ˜€

        Btw,
        whenever i open your file, something happens to the encoding, nothing big. Here’s a sample

        if (strpos(strtolower($_SERVER[‘REQUEST_URI’]),β€šΓ„Γ΄/wp-admin/β€šΓ„Γ΄) !== false

        Note the β€šΓ„Γ΄

        1. Great, thanks for the confirmation. I think that’s because of a bug I introduced in 0.2.1. I’ve just pushed out version 0.2.2, the code is in SVN, it should hit wordpress.org shortly. I recommend immediate upgrade from 0.2.1 because of the bug. The issue was because I replaced quotes with backticks which produced an error about dividing by zero on some servers.

  17. I started using WP Block Admin only yesterday. Today I was prompted to upgrade to version 0.2.1 I did, but this creates havoc on my blog.

    I get the following messages on the admin area and the site:

    Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52

    Warning: Cannot modify header information – headers already sent by (output started at /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php:52) in /var/www/fs2/24/gradutak/public_html/wp-includes/pluggable.php on line 868

    Is there anything that could be done?

    1. Apologies for the error. I’m sending you a slightly modified version of the plugin now. I think the quotes are wrong on line 52. If you can test and report back, I’ll push out the update as soon as possible.

      1. Hi Callum! Sry, but it didn’t help. I get the same error:

        Warning: Division by zero in /var/www/fs2/24/gradutak/public_html/wp-content/plugins/wp-block-admin/wp-block-admin.php on line 52

        1. Apologies, I didn’t actually make that fix before I sent you the file. I’m sending a new version now, hopefully this one works. I just tested on my server and it has cleared up the error for me.

          1. Yes, it seems to be working now! Thank you very much for your efforts!

            I’m not familiar with php, so that leaves me a bit clueless in matters such as these. But it’s great there are more knowledgeable people around! Thanks!

  18. hey callun

    the plugin works great but only if a user is logged in. how can i redirect non-logged in users from accessing wp-admin or wp-login.php?

    1. If you direct non-logged in users from wp-login.php and wp-admin/ then you’ll never be able to login once you are logged out. That would completely break the admin unless you’re using some completely different login method. If you are, I would suggest replacing the contents of wp-login.php with something like . That will redirect all attempts to access wp-login.php to another page. However, you can’t easily redirect everything in wp-admin/ because some files are necessary for the operation of WordPress.

  19. I guess you’re right.

    But,

    maybe the plugin could set up a new page that will handle just the redirection? For example, if the user is not logged in, then we show a special login page on which he can input his data, then after the data is recognized it’s sent to wp-login.php and redirection doesn’t occur. Well, at least that’s something I thought of.

    I think that this special login page doesn’t really have to be that complicated. I think we need to find a way to show wp-login.php or /wp-admin/ (if the user is not logged in) only if called from that special page.

    What do you think?

    1. That is possible. It might also be possible to simply rename wp-login.php with one or two clever tricks.

      Personally, I wrote this plugin for hire years ago. I don’t use it personally and don’t really support it. I don’t have any desire to write new code or expand functionality. I’ve fixed one or two issues as they arose, made slight improvements to the plugin, but I’m not open to major changes. You may be able to find somebody on RentaCoder.com to add the functionality you’re looking for. That’s where I got my start in professional WordPress stuff, there seemed to be a lot of other developers familiar with WordPress on there.

  20. Hey Callum,

    I made some changes to your plugin. I noticed that users were still able to visit wp-login.php even without the proper permissions. I made is to they couldn’t visit either wp-admin or wp-login.php which made an endless loop where you couldn’t get to the login page (oops) I went ahead and wrapped the whole thing in the “is_user_logged_in()” tag. Now, logged in users can’t visit wp-login.php or wp-admin you can see my changes here: http://pastebin.com/xq6x26fn

    Feel free to take them or leave them.

    1. As I read your code, only users who are logged in will be redirected, anyone else who tries to access the admin will be sent to the login page. I’m not sure if that’s sensible or not.

      The only other change I see in your code is that users who are already logged in, cannot access wp-login.php. That means that they can’t log out because wp-login.php?action=logout is the url to log out.

      Thanks for taking the time to share your changes, I really appreciate it. Are you familiar with the diff and patch tools? They’re a great way to share changes like this. At this time I will reject your changes because I don’t see any benefit and I see some downsides. However, maybe I’ve misread your code, so I’m open to better understanding what you intended.

  21. Is this plugin compatible with wordpress Multisite and/or WP 3.0.3? The last update in the plugin repository was at the beginning of 2010.

  22. Seems to be working with 3.0.3, I am running one at Q8Living.com. Thanks Callum. It is a good plugin.

  23. Hey Callum,

    Perfect plugin, is exactly what I needed, I’m using 3.0.4 and it works fine! πŸ™‚

  24. Hi Callum, thanks for this really great plugin (WP Block Admin). I need a little help.
    It would be possible not allow access to wp-admin but yes to wp-admin/profile.php? I tried editing the plugin redirecting, but detect wp-admin and all the time spent redirecting. The reason is that I create a profile.php customized with the plugin (Customize Your Community, is like plugin theme my login) and is good to the user be there but not to wp-admin. Can you say something about this?

    1. Yes, this is a trivial code change. I’ve created a custom version for you. You can download the code here. I’ve pushed the version number in that version to 9 so you shouldn’t be prompted to upgrade.

      1. Callum I do not know what can tell you, but I am very grateful for what you’ve done. No one worry so much to help a stranger, I am forever grateful. I hope to help someday. Thanks again and good luck.

  25. Callum, we have installed you WP block admin plugin and left it active for a month or so.Afterwards i have tried changing the functionality to redirect users with user role less than 2, after i realized that evein if i had removed you plugin the wp-admin would still redirect to the profile page. WHere do i find the cache for this functionality, why is this funtionality working even after i have uninstalled your plugin and deleted from the plugin directory, have any reccomendations?

    1. The plugin itself has no caching and should leave behind no after effects. Without knowing more, I’d guess that something else is redirecting users from wp-admin. I think it’s standard for WordPress to send users to their profile page on login if they’re contributor level users, but I’m not 100% certain.

  26. Hi Callum

    First thank you for your great plugin, awesome job !

    I have a security question about it :

    Till then, i had a htaccess /htpasswd on /wp-admin/

    Since i installed your plugin, i removed this htaccess, as now any attempt to acces a file in /wp-admin/ is redirected to the url i specified in wp-block-admin.php

    So is it as secure as the htaccess ?

    (I will also change the name “wp-admin”)

    Thank you for your opinion

    1. If you use the plugin, the only potential access to the wp-admin interface is through an exploit in WordPress. Security is a relative thing, it’s hard to provide absolutes. In my opinion, using basic authentication (htaccess / htpasswd) is probably more “secure” than the plugin, simply because it’s less common, and so much less likely to be exploited. But to be honest, I think either method provides sufficient security for any likely use of a WordPress site. Unless you have the resources to security audit every line of WordPress code, then you’ll only ever be as “secure” as WordPress is.

      I would suggest using either the basic authentication or plugin approach, but not both, and I would strongly recommend against renaming the wp-admin folder, I think that will cause serious problems.

      1. PS> As an after thought, given the choice between basic auth and the plugin, I’d choose the plugin because the admin is simpler. Adding new users, removing users, etc is all handled within WordPress.

        1. Hi,

          Thank you for your quick answer,

          So any attack on any file in /wp-admin/ will be rejected thanks to your plugin and you say it will have almost the same strenght as an htaccess/htpasswd on /wp-admin/ ?

          (i read most of attacks were happening on wp-admin)

          Thank you !

          1. No, not necessarily. It depends on what type of vulnerability is being attacked. If your objective is to increase the security of WordPress, then using basic authentication is the best option. It’s a completely separate layer of security, completely independent of WordPress, that will protect your site from any automated attack against wp-admin. If you’re storing highly sensitive data in WordPress that sophisticated attackers are directly targeting, then you ought to store it elsewhere! However, if your objective is to protect against automated attacks against WordPress, then the basic authentication option will give you a good protection against that.

            On the other hand, if WordPress offers sufficient security for your needs, and you simply want to keep regular users out of the wp-admin interface, then the plugin is my recommendation.

  27. Thanks so much for the plugin! I did make one change because I normally install WordPress in a subdirectory. In the default redirect, I changed

    get_option(‘siteurl’)

    to

    get_bloginfo(‘url’);

    Thanks, again!

    1. Wow, I had never noticed that before, that’s definitely a bug, thanks for sharing. I’ve updated the plugin to use get_option(‘home’) instead of siteurl. May I credit you with a link in the changelog?

  28. Put this code to functions.php :
    function blockusers_init() {
    if ( is_admin() && ! current_user_can( ‘administrator’ ) ) {
    wp_redirect( home_url() );
    exit;
    }
    }

  29. Hi Callum,
    I appreciate your work on this plugin. However, I’m using a theme with a front end login. My only problem so far is that when users login they cannot log out this “wp-login.php?action=logout&redirect_to=” is needed to log out. Is there a way to fix this? (I’m a newbie at coding)

    1. The plugin looks for /wp-admin/ in the URL. There is no /wp-admin/ in the login / logout url, so it should not affect that. If you disable the plugin, does logout work?

  30. I’m thinking the plugin does look for “wp-login” as well. Yes, when I disable the plugin, I’m able to log out and also visit “mysite.com/wp-login.php”. After activating the plugin, I am being redirect to the home page when trying to visit /wp-login.php and /wp-admin.

    1. The plugin looks for the presence of /wp-admin/ in the current URL, and if it’s found, redirects the user to the homepage. It’s really that simple I’m afraid. It should not be interfering with the wp-login.php links, unless maybe they contain ?redirect_to=/wp-admin/, but even then, I don’t think that would cause the issue. I’m afraid I’m not sure what’s causing your issues, this is a plugin I wrote a long time ago and don’t personally use. Best of luck with your issue.

  31. In Listings – Theme Options – General Settings: In “upload listing” I have deselected “Only Register Users may post a Listing”.

    Yet, when customers want to upload an image, they are forced to register through WP. I was sent to WP to download WP Block Admin plugin. I did and have no idea what to do after I activated that. I have to add or do something on line 18 and 21. could you guide me through it?

    How could I fix that?

    1. I’m sorry I don’t understand what you’re asking, but it doesn’t sound like this plugin is what you need. Best of luck finding a solution.

  32. I cannot get this to work. Before I try anything further, can you tell me if this works with the latest version of Word Press 3.3.2? Thank you!

  33. Hello Callum,
    Not sure f you still support this plugin, but I am having an issue here and would really appreciate if you can help. I’ve downloaded and installed your plugin (great idea btw!) but then after activating it, I can’t access the plugin settings at all, can’t find it at all. I am using wordpress 3.4.2

    Thanks!

  34. Great plugin!!! absolute winner with this. Tried codes to them functions file and no results. I will be buying you a cup of coffee!

  35. I installed this extension and activated it.
    But after log-out I couldn’t relogin my website.

    I deleted plugin from ftp server, but it’s still making redirection. How can I fix login issue?

    1. If you have deleted the plugin files, it has been 100% removed. I’d guess your login issues are unrelated, the plugin doesn’t affect logins, only access to the admin interface.

    1. I’m not certain if this plugin will block users from changing their passwords or not. Try it and see, that’s my best advice.

  36. HI,

    I can’t seem to get this to work, I have a page link which goes to wp-admin, and using this plugin I wish for any non-admins to be redirected to the homepage instead but I am directed to the wp-login screen. I have changed the user settings in the config to be ‘read’ so catches all subscribers.. have I missed something?

    many thanks in advance, Chelsey

    1. I’m not sure what the plugin does if a user is not logged in. By the sounds of it, WordPress kicks in and redirects them to the login page. You could probably modify the plugin code to achieve your goal.

  37. Thank you for the plugin. Surprised just yours can do what it does, I see it is quite demanded…
    Good job!

Leave a Reply

Your email address will not be published. Required fields are marked *