Totally block all access to Wp-Admin and Wp-Login.php Pages from non admins

  • I want to Block all access to Wp-Admin and Wp-Login.php Pages from all members who are not site Admins.

    And I don’t want to use any plugin for this.

    The flow is that, even if people deliberately type “mydomain.com/wp-admin” or they deliberately type “mydomain.com/wp-login.php” , it should immediately and instantly redirect them to the Login or Register Pages that I have created– and they should never see the “wp- admin or “wp-login.php” Page.

    I have this Code:

    //Redirect WP Login Page
add_filter( 'login_url', 'my_login_page', 10, 3 );
function my_login_page( $login_url, $redirect, $force_reauth ) {
    return home_url( '/my-login-page/?redirect_to=' . $redirect );
}

    It works in a way that, if you try to access “mydomain.com/wp-admin“, it functions well and redirects you to my specified Login Page.

    But if you deliberately type “mydomain.com/wp-login.php“, it still loads the wp-login.php Page.

    This means that my code is still insufficient to block access to Wp-Admin and Wp-Login.php Pages.

    Then I applied this second code:

    unction custom_login_redirect() {
    // Check if the current URL contains "/wp-admin" or "/wp-login.php"
    if (strpos($_SERVER['REQUEST_URI'], '/wp-admin') !== false || strpos($_SERVER['REQUEST_URI'], '/wp-login.php') !== false) {
        // Redirect to your custom login or registration page
        wp_redirect(home_url('/your-custom-login-page')); // Replace with the actual URL of your custom login page
        exit();
    }
}
add_action('init', 'custom_login_redirect');

    This code works. But it works in a very terrible way.

    I am logged in, before I inserted the code. The page slug I want users directed to, is the “my-account” Page.

    When I click Logout, it doesn’t log me out. It continues to keep me fixed and Logged in, inside the “My-Account” Page.

    2.) When I first inserted it through functions.php, it told me that it couldn’t find a way to check with server.

    See the message and error report here— https://prnt.sc/NRJy0NgPtZWz

    from all indications, it is clear that I have 2 Code snippets, but they don’t function well.

    Please, anyone with a better PHP Code Snippet that can help me totally block all access to wp-admin and wp-login.php together?

    Regards.

Viewing 9 replies - 1 through 9 (of 9 total)

  • Hi @gamicord

    You could try the following:

    function restrict_wp_admin() {
    if (!current_user_can('administrator') && !is_admin()) {
        wp_redirect(home_url());
        exit;
    }
}
add_action('admin_init', 'restrict_wp_admin');

function restrict_wp_login() {
    if (strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false && !is_user_logged_in()) {
        wp_redirect(home_url());
        exit;
    }
}
add_action('init', 'restrict_wp_login');
    • It checks if the current user is not an administrator (current_user_can('administrator')) and if the user is not on an admin page (!is_admin()). If both conditions are met, it redirects the user to the home page (wp_redirect(home_url())) and exits.
    • It checks if the request URI contains ‘wp-login.php’ (strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false) and if the user is not logged in (!is_user_logged_in()). If both conditions are met, it redirects the user to the home page and exits.

    This PHP snippet restricts access to the admin area for non-administrative users by checking their user role and the page they are trying to access. If they do not have the ‘administrator’ role and are not on an admin page, they are redirected.

    Thread Starter gamicord

    (@gamicord)

    @west7

    Oh my goodness, your code is a superstar. It worked awesomely and powerfully well.

    Now, I just need a small modification to the Code:

    What I want now is that, instead of returning the people to the Homepage or Home URL, it should send them to the “My-Account” page, with a URL that has the slug of — mydomain.com/my-account or “home/my-account

    How do I modify the code, so that it sends users who are attempting to access Wp-Admin and Wp-login.php to the “My-Account” Page with the slug “mydomain.com/my-account” rather than sending them to the Homepage?

    I believe you agree with me, that people who want to access the Wp-Admin and Wp-login.php Pages, are actually people who want to Login or Register.

    So it makes sense to actually send them to the Login or Sign Up Page.

    What modifications do I need to add to the code to make this flow possible?

    Regards.

    function restrict_wp_admin() {
    if (!current_user_can('administrator') && !is_admin()) {
        wp_redirect(home_url('/my-account')); // Change 'my-account' to the desired slug
        exit;
    }
}
add_action('admin_init', 'restrict_wp_admin');

function restrict_wp_login() {
    if (strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false && !is_user_logged_in()) {
        wp_redirect(home_url('/my-account')); // Change 'my-account' to the desired slug
        exit;
    }
}
add_action('init', 'restrict_wp_login');

    In this modified code, I’ve replaced home_url() with home_url('/my-account'), where ‘/my-account’ is the slug of the “My Account” page you want non-administrative users to be redirected to. Adjust the slug to match the actual URL of your “My Account” page.

    Hope this works?

    Thread Starter gamicord

    (@gamicord)

    The code works like fire. Thanks.

    Really 100% appreciate.

    Awesome! You are welcome to mark this thread as resolved.

    All the best!

    Thread Starter gamicord

    (@gamicord)

    Thread marked as “resolved” .

    Thanks.

    Hi folks, I hope you all don’t mind me adding something here.

    I wanted to note that the current_user_can check should be using one of the Administrator level capabilities, instead of the administrator role.

    So instead of 

    current_user_can( 'administrator' )

    It should be something like

    current_user_can( 'manage_options' )

    Currently with the code as it is, the current_user_can( 'administrator' ) check will always return false, unless that specific capability is being added by something else.

    I would also add that this code should be tested on both a non-admin user account and an admin user account, to ensure that it works for both scenarios.

    Thank you @psykro for your help!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Totally block all access to Wp-Admin and Wp-Login.php Pages from non admins’ is closed to new replies.