Remove the access to your wordpress admin and secure your website
Par arthur-and-ashes,
Publié le June 9, 2020
In order to avoid any hacker to find your administration pages, you need to remove the access to any user who is not allowed to edit these pages. Here are some rules to secure his wordpress website, from the access to the admin pages or the admin bar… This is very important if you authorize the registration of new users.
Here we are going to add PHP functions and change some specific settings, without using any plugin. To secure your website, only install the very few plugins that are truly essential to your website. Indeed, some of them may have security flaws or any incompatibility between two plugins.
Set the role of new users.
First, we will do some settings from your general settings to authorize / prevent the registration of new users. If you let people to register and create an account to your website, that will be very efficient to authentificate these users before they make interactions on your website (comments, votes, send a message to another user…
- Activate the option : Settings > General > Membership : anybody can register.
- Choose the role of these new users. I suggest to choose Subscriber, Contributor or Author. By default, these users will have access to different settings and views. Consult this official page on wordpress.org to check the roles and capabilities of these users.
Block your admin pages to user’s specific roles
By default, only the Admins, the Editors and the Authors can access the back-office of your wordpress website. However, it is possible to change it. For that, we are going to add a small function to our wordpress website (file functions.php of your current theme.
// disable access to wp-admin for non-administrators function block_wp_admin_access() { if ( is_admin() && ! current_user_can( 'administrator' ) && ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) { wp_redirect( home_url() ); exit; } } add_action( 'init', 'block_wp_admin_access' );
Thus, if an author is trying to go to your admin pages, he won’t be able to do it (even if he is an editor or an author). You can add rules by adding a new parameter in theis function, like && !current_user_can('editor')
. However, your users are still able to find links to the admin page, on the admin bar. So I am going to remove this admin bar for all users (except admins).
Delete the admin bar, for registered users
To delete the admin bar of my website, I am going to add this function and
function remove_admin_bar() { if (!current_user_can('administrator') && !is_admin()) { show_admin_bar(false); } }