The official AAM 6.0.0-beta.3 release is out. Download it from the official WordPress repository.

How to restrict access to any WordPress website URL

The ability to manage access to your WordPress website URLs has been introduced in AAM version 5.6 and without Plus Package extension is limited to manage access only to literal URLs.

It is difficult to know upfront what exactly a website administrator may want to restrict on a WordPress website from users or visitors. AAM already does great job managing access to Backend Menu, Posts & Terms or API Routers; and that cover 80-90% of all possible use cases. However to give you the complete control over all the WordPress website areas, we’ve introduced the URI Access feature. It allows you to manage access to any literal URI or wildcard URI that refers to either frontend or backend areas of a WordPress website.

WordPress Restrict Website Area

Note! The wildcard * match works only with Plus Package extension and basically means that you can specify the subset of URIs that will be restricted. For example the URI /category/* means that AAM will restrict access to pages like /category/animals or /category/art. With the basic AAM version you can manage access only to literal URIs.

It is important to emphasize that AAM manages access to URIs with and/or without query ($_GET) parameters. The example of the URI without query parameters is /archive/2018. It means that when user enters this exact URI in browser (even with fake query parameters e.g. /archive/2018?f=1), access will be denied. However URI /archive/2018/01/20 is considered as completely different URI and will be not restricted. That is why it is called literal.

The example of URI with query parameters is /wp-admin/edit.php?post_type=page. This means that AAM will restrict access to the page /wp-admin/edit.php BUT only if one of the query parameters is post_type and its value is page. That is why if user enters /wp-admin/edit.php?post_type=post, AAM will not restrict access because post_type value is not equal page; however if user enters /wp-admin/edit.php?post_type=page&p=2, access will be denied. Also, the order of query parameters is irrelevant.

Oh, you might be confused why in some instances I’m using URL while in others URI. The main difference between them is that URL is the absolute path to the website resource, while URI is relative (without HTTP schema and domain name).

Last however not least. Just restricting access to a website page is half way job done. AAM also takes in consideration what should we do when access is denied. So basically you have the option to define how exactly to redirect user when access is restricted.

WordPress Access Denied Redirect Rule

AAM gives you 6 different options. For example you can defining custom HTML message, redirect to existing page, show “Access Denied” message or even invoke custom callback function. All the options are self explanatory and with no effort you can figure out the right option for your specific needs.

Keep in mind! The URL that you restrict has to be pointed to a page that is rendered by WordPress core functionality or third party application that loads WordPress core. The URI Access feature will not work with static HTML pages or embedded third-party applications that do not load WordPress core.

Conclusion

URI Access feature allows you to manage direct access either to literal or wildcard URLs on a WordPress website for any role, individual user, visitors or even define default access for everybody to any page. Additionally it also allows you to define how to redirect user when access is denied that definitely helps to improve user experience.

Get notified about important updates and new features (no more than one email per month).