How to lockdown WordPress backend

Managing access to the WordPress backend area is one of the most critical aspect of the entire website administration. Fortunately WordPress core does the great job controlling what other users are authorized to do within the backend area with capabilities however sometimes you actually want to complete restrict access to the Backend side of your website.

All registered users, including the lowest user level Subscribers, have access to the WordPress backend side. This is the default WordPress behavior. The only thing that differentiate users is list of assigned capabilities. Based on that list, authenticated user either can or can not see certain backend menus and perform some actions like edit or delete posts, pages etc.

With Advanced Access Manager you can easily lockdown (restrict) the backend are for any group or users (role) or individual users with few really simple steps and they do not require any coding skills.

Create a custom capability access_dashboard

Go to Capabilities tab and click on + Create button. The pop-up form allows you to create a custom capabilities, so enter access_dashboard.

By default, created custom capability is automatically assigned to the Administrator role however for all other roles you would have to explicitly assign it.

Create Custom WordPress Capability

Assign access_dashboard capability to other roles if necessary

If you need to assign access_dashboard capability to any other roles or even an individual users, then simply switch to your desired role or user and make sure that this capability is checked. For example if you want to grant access to backend area for all editors, make sure that Editor role has this capability checked; if access should be restricted for all subscribers then make sure access_dashboard capability is unchecked for Subscriber role.

Redefine login redirect

By default, when user is authenticated successfully, he or she is redirected to the backend area. You might want to redefine this behavior and for more information about login and logout redirects please refer to the How to redirect WordPress user on login and logout article.

Allow AJAX-calls if necessary

It is important to mention that the default WordPress AJAX calls go through the wp-admin/ajax.php file. Which technically means that all AJAX calls are handled by the Backend area. That is why you would have to explicitly tell AAM to ignore all AJAX calls that come from the Frontend side. To do so, please create a new capability allow_ajax_calls and make sure it is checked for role or user that do not have access to the backend area. Otherwise any frontend features that use classic WordPress AJAX functionality may not work properly.

Conclusion

Completely restrict access to the WordPress backend area is the first steps to mitigate any potential security issues as well as improve user experience if you want to keep user just on the frontend side of your WordPress website.

With AAM you have ability to manage access to the backend side with just couple custom capabilities that you can create on the Capabilities tab; no need to be a developer or do write and crazy PHP code. And what is cool about this that it is complete free.

Get notified about important updates and new features (no more than one email per month).