How to Restrict Access to all wp-admin pages for subscriber users

Here is summary of the problem and required solution:

  • Access to mywebsite.com/wp-admin is blocked for subscribers [which is good]

  • However, if i enter the link manually on the browser as follows: https://mywebsite.com/wp-admin/user-edit.php?user_id=113 then the user has access to his user settings

  • Problem with that is that they can then create an API key (through application passwords plugin which is accessible from that page). This is undesirable as I dont want the users to have API keys where they can fetch/post data to server.

  • Hence, I want to block access of subscribers to all wp-admin menus/plugin pages including this link https://mywebsite.com/wp-admin/user-edit.php?user_id=113

Any suggestions?

Topic authorization accessibility wp-admin Wordpress

Category Web

1
answered at

Hence, I want to block access of subscribers to all wp-admin menus/plugin pages including this link https://mywebsite.com/wp-admin/user-edit.php?user_id=113

This isn't a bulletproof solution, but it should work in that non-admin users would no longer be able to access any admin pages when they're logged-in:

add_action( 'admin_init', function () {
    if ( wp_doing_ajax() || ! is_user_logged_in() ) {
        return;
    }

    $roles = (array) wp_get_current_user()->roles;
    if ( ! in_array( 'administrator', $roles ) ) { // allows only the Administrator role
        wp_die( 'Sorry, you are not allowed to access this page.' );
        // or you can redirect the user to somewhere, if you want to
    }
} );

But then, you might want to change the login and registration redirect URL so that it doesn't send the user to an admin page upon successful login/registration — see the documentation for login_redirect and registration_redirect.

Problem with that is that they can then create an API key (through application passwords plugin which is accessible from that page).

I can't help you with that plugin, but unless if you're still using WordPress prior to v5.6.0, then you should not need to use a plugin anymore because application passwords has been a core feature in WordPress since v5.6.0. And there's actually a hook named wp_is_application_passwords_available_for_user that you could use to disable the feature for certain users.

This is undesirable as I dont want the users to have API keys where they can fetch/post data to server.

If so, and since you said in your comment, "The rest api is restricted for authenticated users", then how about using the rest_authentication_errors hook to ensure only Administrators allowed to access the REST API?

Working example:

add_filter( 'rest_authentication_errors', function ( $errors ) {
    if ( ! is_wp_error( $errors ) ) { // do nothing if there's already an error
        if ( $can_access = is_user_logged_in() ) {
            $roles      = (array) wp_get_current_user()->roles;
            $can_access = in_array( 'administrator', $roles ); // allows only the Administrator role
        }

        if ( ! $can_access ) {
            return new WP_Error( 'user_not_allowed',
                'Sorry, you are not allowed to access the REST API.',
                array( 'status' => rest_authorization_required_code() )
            );
        }
    }

    return $errors;
} );

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.