How to restrict admin pages for Administrator role?

I use this code here to restrict user from directly entering URL in the address bar with no success: '/wp-admin/?page=xxx-xxx-xxx' << no page extension and this page belongs to a theme the site is on.

*
 * If user is not a SuperAdmin, when they try to access the below URLs they are redirected back to the dashboard.
 */
function restrict_admin_with_redirect() {

    $restrictions = array(
        '/wp-admin/widgets.php',
        '/wp-admin/user-new.php',
        '/wp-admin/upgrade-functions.php',
        '/wp-admin/upgrade.php',
        '/wp-admin/themes.php',
        '/wp-admin/theme-install.php',
        '/wp-admin/theme-editor.php',
        '/wp-admin/setup-config.php',
        '/wp-admin/plugins.php',
        '/wp-admin/plugin-install.php',
        '/wp-admin/options-writing.php',
        '/wp-admin/options-reading.php',
        '/wp-admin/options-privacy.php',
        '/wp-admin/options-permalink.php',
        '/wp-admin/options-media.php',
        '/wp-admin/options-head.php',
        '/wp-admin/options-general.php.php',
        '/wp-admin/options-discussion.php',
        '/wp-admin/options.php',
        '/wp-admin/network.php',
        '/wp-admin/ms-users.php',
        '/wp-admin/ms-upgrade-network.php',
        '/wp-admin/ms-themes.php',
        '/wp-admin/ms-sites.php',
        '/wp-admin/ms-options.php',
        '/wp-admin/ms-edit.php',
        '/wp-admin/ms-delete-site.php',
        '/wp-admin/ms-admin.php',
        '/wp-admin/moderation.php',
        '/wp-admin/menu-header.php',
        '/wp-admin/menu.php',
        '/wp-admin/edit-tags.php',
        '/wp-admin/edit-tag-form.php',
        '/wp-admin/edit-link-form.php',
        '/wp-admin/edit-comments.php',
        '/wp-admin/credits.php',
        '/wp-admin/about.php'
    );
    foreach ( $restrictions as $restriction ) {
        if ( ! current_user_can( 'manage_network' ) && $_SERVER['PHP_SELF'] == $restriction ) {
            wp_redirect( admin_url() );
            exit;
        }
    }
}
add_action( 'admin_init', 'restrict_admin_with_redirect' );

Please advice.

  • Adam Czajczyk

    Hello Cas,

    I hope you're well today and thank you for your question!

    I've checked your code. The reason it's not working is that it doesn't check what's the current page so basically it is only traversing the "$restrictions" array. Would you please give the following code a try instead? It should redirect non-super-admin users to main dashboard in case they try to visit any of the pages included in "$restrictions" array.

    /*
     * If user is not a SuperAdmin, when they try to access the below URLs they are redirected back to the dashboard.
     */
    function restrict_admin_with_redirect() {
    
        $restrictions = array(
            '/wp-admin/widgets.php',
            '/wp-admin/user-new.php',
            '/wp-admin/upgrade-functions.php',
            '/wp-admin/upgrade.php',
            '/wp-admin/themes.php',
            '/wp-admin/theme-install.php',
            '/wp-admin/theme-editor.php',
            '/wp-admin/setup-config.php',
            '/wp-admin/plugins.php',
            '/wp-admin/plugin-install.php',
            '/wp-admin/options-writing.php',
            '/wp-admin/options-reading.php',
            '/wp-admin/options-privacy.php',
            '/wp-admin/options-permalink.php',
            '/wp-admin/options-media.php',
            '/wp-admin/options-head.php',
            '/wp-admin/options-general.php.php',
            '/wp-admin/options-discussion.php',
            '/wp-admin/options.php',
            '/wp-admin/network.php',
            '/wp-admin/ms-users.php',
            '/wp-admin/ms-upgrade-network.php',
            '/wp-admin/ms-themes.php',
            '/wp-admin/ms-sites.php',
            '/wp-admin/ms-options.php',
            '/wp-admin/ms-edit.php',
            '/wp-admin/ms-delete-site.php',
            '/wp-admin/ms-admin.php',
            '/wp-admin/moderation.php',
            '/wp-admin/menu-header.php',
            '/wp-admin/menu.php',
            '/wp-admin/edit-tags.php',
            '/wp-admin/edit-tag-form.php',
            '/wp-admin/edit-link-form.php',
            '/wp-admin/edit-comments.php',
            '/wp-admin/credits.php',
            '/wp-admin/about.php'
        );
    
    	$currentScreen = get_current_screen();
    	$current_page = '/wp-admin/' . $currentScreen->id . '.php';
    	if (in_array($current_page, $restrictions)) {
    		if ( ! current_user_can( 'manage_network' ) ) {
                wp_redirect( admin_url() );
                exit;
            }
    	}
    
    }
    add_action( 'current_screen', 'restrict_admin_with_redirect' );

    Best regards,
    Adam

  • Adam Czajczyk

    Hello Cas,

    Thank you for you response.

    I double checked that on my setup and I can confirm that the code "as is" is right. However it's possible that I didn't understand you right and we're now not on a same side here.

    That said, I imagine that the code you're looking for should work like this:

    - there's a Multisite WP install with main site and some sub-sites
    - super-admin user can "do everyting"
    - admins of sub-site (and all other registered users that are not super-admins) do see menu items leading to those enlisted dashboard pages but once they click on any of them, they're being redirected to the dashboard's main page
    - the same applies to URL's put directly to browser's address bar.

    Am I on a right track? Could you please provide me with as much detailed case scenario as possible, preferably a step-by-step description of non-super admin user behavior and requested WP workflow?

    This would greatly help me test and adjust the code.

    Best regards,
    Adam

  • Code Injector

    I've tried to use your code 3-4 times with no success. The original (1st) code is working perfectly to prevent user from directly entering "WP related pages" into the address bar. But it doesn't work with the non-native WP pages such as pages called from the third party plugins >> "wp-admin/admin.php?page=hello_options_import_page" and many other non-native pages I want to have them restricted.

  • Adam Czajczyk

    Hello Cas!

    Thank you for this explanation. Just as I suspected, my code was working slightly other way.

    Here's a modified version of your code and I think this time it should work. It's setup at the moment to redirect all "/wp-admin/admin.php?page=" URLs and by extending restriction array you can also extend it to handle essentially every other "in-dashboard" URL.

    Let me know please if it works for you.

    /*
     * If user is not a SuperAdmin, when they try to access the below URLs they are redirected back to the dashboard.
     */
    function restrict_admin_with_redirect() {
    
    	$r_php_self = $_SERVER['PHP_SELF'];
    	$r_full_query = $r_php_self."?".$_SERVER['QUERY_STRING'];
    
        $restrictions = array(
            '/wp-admin/widgets.php',
            '/wp-admin/user-new.php',
            '/wp-admin/upgrade-functions.php',
            '/wp-admin/upgrade.php',
            '/wp-admin/themes.php',
            '/wp-admin/theme-install.php',
            '/wp-admin/theme-editor.php',
            '/wp-admin/setup-config.php',
            '/wp-admin/plugins.php',
            '/wp-admin/plugin-install.php',
            '/wp-admin/options-writing.php',
            '/wp-admin/options-reading.php',
            '/wp-admin/options-privacy.php',
            '/wp-admin/options-permalink.php',
            '/wp-admin/options-media.php',
            '/wp-admin/options-head.php',
            '/wp-admin/options-general.php.php',
            '/wp-admin/options-discussion.php',
            '/wp-admin/options.php',
            '/wp-admin/network.php',
            '/wp-admin/ms-users.php',
            '/wp-admin/ms-upgrade-network.php',
            '/wp-admin/ms-themes.php',
            '/wp-admin/ms-sites.php',
            '/wp-admin/ms-options.php',
            '/wp-admin/ms-edit.php',
            '/wp-admin/ms-delete-site.php',
            '/wp-admin/ms-admin.php',
            '/wp-admin/moderation.php',
            '/wp-admin/menu-header.php',
            '/wp-admin/menu.php',
            '/wp-admin/edit-tags.php',
            '/wp-admin/edit-tag-form.php',
            '/wp-admin/edit-link-form.php',
            '/wp-admin/edit-comments.php',
            '/wp-admin/credits.php',
            '/wp-admin/about.php',
    		'/wp-admin/admin.php?page='
        );
        foreach ( $restrictions as $restriction ) {
    
    		if (stristr($r_full_query,$restriction)) {
    			wp_redirect( admin_url() );
    			exit;
    		}
    
        }
    }
    add_action( 'admin_init', 'restrict_admin_with_redirect' );

    Best regards,
    Adam

  • Code Injector

    The code given is limiting access to all level of site users including the network super admin. I added one line below, now the network super admin can see and access everything 100% but restricting access to the subsite administrator and others.

    function restrict_admin_with_redirect() {
    
        $r_php_self = $_SERVER['PHP_SELF'];
        $r_full_query = $r_php_self."?".$_SERVER['QUERY_STRING'];
    
        $restrictions = array(
            '/wp-admin/widgets.php',
            '/wp-admin/user-new.php',
            '/wp-admin/upgrade-functions.php',
            '/wp-admin/upgrade.php',
            '/wp-admin/themes.php',
            '/wp-admin/theme-install.php',
            '/wp-admin/theme-editor.php',
            '/wp-admin/setup-config.php',
            '/wp-admin/plugins.php',
            '/wp-admin/plugin-install.php',
            '/wp-admin/options-writing.php',
            '/wp-admin/options-reading.php',
            '/wp-admin/options-privacy.php',
            '/wp-admin/options-permalink.php',
            '/wp-admin/options-media.php',
            '/wp-admin/options-head.php',
            '/wp-admin/options-general.php.php',
            '/wp-admin/options-discussion.php',
            '/wp-admin/options.php',
            '/wp-admin/network.php',
            '/wp-admin/ms-users.php',
            '/wp-admin/ms-upgrade-network.php',
            '/wp-admin/ms-themes.php',
            '/wp-admin/ms-sites.php',
            '/wp-admin/ms-options.php',
            '/wp-admin/ms-edit.php',
            '/wp-admin/ms-delete-site.php',
            '/wp-admin/ms-admin.php',
            '/wp-admin/moderation.php',
            '/wp-admin/menu-header.php',
            '/wp-admin/menu.php',
            '/wp-admin/edit-tags.php',
            '/wp-admin/edit-tag-form.php',
            '/wp-admin/edit-link-form.php',
            '/wp-admin/edit-comments.php',
            '/wp-admin/credits.php',
            '/wp-admin/about.php',
            '/wp-admin/admin.php?page='
        );
        foreach ( $restrictions as $restriction ) {
    
            if (stristr($r_full_query,$restriction)) {
                if ( ! current_user_can( 'manage_network' ) ) {
                    wp_redirect( admin_url() );
                    exit;
                }
            }
        }
    }
    add_action( 'admin_init', 'restrict_admin_with_redirect' );

    I'm testing the site as a user and the code given does seem to decently do the job as intended, so far so good.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.