How to lockdown WordPress backend

Managing access to the WordPress backend area is one of the most critical aspects of the entire website administration. Fortunately WordPress core does a great job controlling what other users are authorized to do within the backend area with capabilities however sometimes you actually want to complete restrict access to the backend side of your website.

All registered users, including the lowest user-level Subscribers, have access to the WordPress backend side. This is the default WordPress behavior. The only thing that differentiate users is list of assigned capabilities. Based on that list, authenticated users either can or can not see certain backend menus and perform some actions like edit or delete posts, pages, etc.

With Advanced Access Manager you can easily lockdown (restrict) the backend area for any group of users (role) or individual users with few really simple steps and they do not require any coding skills.

Create a custom capability aam_access_dashboard

Go to Capabilities tab and click on + Create button. The pop-up form allows you to create a custom capabilities, so enter aam_access_dashboard.

WordPress create custom capability

Make sure that “Also assign this capability to me” is checked. Otherwise, you might have a chance losing access to the backend.

Assign aam_access_dashboard capability to other roles or users

If you need to assign aam_access_dashboard capability to any other roles or even an individual users, then simply switch to your desired role or user and make sure that this capability is checked. For example if you want to grant access to backend area for all editors, make sure that Editor role has this capability checked; if access should be restricted for all subscribers then make sure aam_access_dashboard capability is unchecked for Subscriber role.

Redefine login redirect

By default, when a user is authenticated successfully, he or she is redirected to the backend area. You might want to redefine this behavior and for more information about login and logout redirects please refer to the How to redirect WordPress user on login and logout article.


Completely restrict access to the WordPress backend area is the first step to mitigate any potential security issues as well as improve user experience if you want to keep user just on the frontend side of your WordPress website.

With AAM you have the ability to manage access to the backend side with a single custom capability that you can create on the Capabilities tab. No need to be a developer or write a crazy PHP code. And what is cool about this that it is complete free.

Get notified about important updates and new features (no more than one email per month).