The WordPress backend is part of the website that is available only for authenticated users. By default, all registered users have access to it and the number of available actions is based on user’s capabilities. For more information about capabilities check Capabilities article.
WordPress does not have the native way to restrict access for a registered user to the backend. Check How to lockdown WordPress backend article to learn how to restrict access to the backend with AAM plugin.
The WordPress backend is divided into pages that are either WordPress core pages like Media Library, Plugins, Tools, Themes or custom pages that are registered and rendered by third-party plugins or themes.
Each backend page has unique URL that points to the specific PHP file. For example Media Library points to /wp-admin/uploads.php and Users to /wp-admin/users.php. However there are three exceptions:
- Posts, Pages and Custom Post Types (CPTs) point to the same PHP file /wp-admin/edits.php. The only difference is in the post_type parameter;
- All taxonomies like categories or tags point to the /wp-admin/edit-tags.php file with the unique taxonomy parameter;
- All custom pages, that are registered and rendered by third party plugins or themes, point to the /wp-admin/admin.php with unique page parameter;
The list of all backend pages is organized as the backend menu and is rendered on the left side of the backend interface. Some menus may have submenus. Additionally some backend pages are listed on the top admin bar.
Every page has a capability assigned to it and if user has it, than access is granted to a page, otherwise the access is denied and link to a page is removed from the backend menu.
The easiest way to find what capability is assigned to a page is to go to AAM page and on the Admin Menu tab, right next to the page name, there is the page capability. For example, in order for user to have access to All Posts page, he has to have edit_posts capability.
There are two possible ways to restrict access to any backend page. The easiest way is to use AAM plugin and simply check whatever menu or submenu has to be restricted. For more information about managing access to the Admin menu, check How to manage WordPress backend menu article.
The other way is to make sure that user does not have proper capability assigned. However you have to keep in mind that the same capability may be used for other menu or submenu. For example All Posts and Add New pages use the same edit_posts capability.
There is a significant difference between managing access to the backend page and to the specific parts of the page. Most of the times, there is no easy way to manage access to certain parts of the page because code that renders the page, is typically “monolithic”. This means that it either renders the entire page or not render it at all. This depends on how the code is organized.
If you have a need to give access for other users to AAM page but would like to restrict some features please refer to How to manage access to AAM page for other users article.
Metaboxes and widgets are parts of the backend, designed to do very specific tasks. You can find metaboxes on edit post, page or custom post type pages. For example Publish, Categories, Custom Fields etc. are metaboxes.
Some metaboxes are conditional and displayed only when certain condition met. As example the metabox Revisions is shown only when there are at least two different revisions of the same post.
Any plugin or theme can register its own metabox. For example AAM adds Access Manager metabox to every edit post, page, custom post type or edit taxonomy pages.
It is important to remember that it is very hard to manage the metabox content. That is why, in most cases, you can only either hide or show the entire metabox.
Widgets are very similar to metaboxes with the only exception that they are displayed only on the Dashboard Home page. For example Quick Draft, At a Glance, WordPress News are widgets. Any other plugin or theme can register its own dashboard widget.
Metaboxes and Widgets do not have capability assigned to it that is why the only way to manage access to them is to filter them out. You can do this with AAM plugin on the Metaboxes & Widgets tab for any role or individual user.
Please remember! Some metaboxes are conditional and they may not be listed on the Metaboxes & Widgets tab. This is due to the fact that AAM by default collects all registered metaboxes on the Add New (post, page or custom post type) pages. However you can manually reinitialize the list of metaboxes by clicking on the Init URL button.
Finally when you think about restricting access to your backend you might also consider to define access denied redirect. For more information about this please check How to redirect WordPress user when access is denied article.
You can also check AAM User Activity extension that allows to track all user activities including events when access was denied to restricted areas.